{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/netty-codec-stomp-4.2.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["netty-codec-stomp (4.2.x)","netty-codec-stomp (4.1.x)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","netty","java","application-layer"],"_cs_type":"advisory","_cs_vendors":["Netty Project"],"content_html":"\u003cp\u003eA high-severity denial of service vulnerability, CVE-2026-44891, has been identified in the \u003ccode\u003eStompSubframeDecoder\u003c/code\u003e component of the Netty \u003ccode\u003enetty-codec-stomp\u003c/code\u003e library. This vulnerability affects versions \u003ccode\u003enetty-codec-stomp\u003c/code\u003e \u0026gt;= 4.2.0.Alpha1 and \u0026lt;= 4.2.15.Final, as well as versions \u0026lt;= 4.1.135.Final. The \u003ccode\u003eStompSubframeDecoder\u003c/code\u003e, responsible for implementing the STOMP protocol, fails to impose limits on the total number or cumulative size of headers within a single STOMP frame. An unauthenticated attacker can exploit this flaw by sending a specially crafted STOMP message containing a large volume of short headers. This leads to an uncontrolled accumulation of headers in memory, causing the Java Virtual Machine (JVM) to throw an \u003ccode\u003eOutOfMemoryError\u003c/code\u003e and subsequently crash the server application. This vulnerability poses a significant risk to any server exposing a STOMP endpoint utilizing the affected Netty components.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target system running an application that uses the vulnerable Netty \u003ccode\u003enetty-codec-stomp\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious STOMP \u003ccode\u003eCONNECT\u003c/code\u003e message, specifically designed to include an exceptionally large number of short, arbitrary headers (e.g., \u003ccode\u003ea:1\\n\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends this malformed STOMP message over the network to the vulnerable server's STOMP endpoint.\u003c/li\u003e\n\u003cli\u003eUpon receipt, the \u003ccode\u003eStompSubframeDecoder\u003c/code\u003e component processes the incoming message, accumulating the unbounded headers in memory.\u003c/li\u003e\n\u003cli\u003eDue to the lack of limits on total header count or cumulative size, this accumulation rapidly consumes the available heap memory of the Java Virtual Machine (JVM) hosting the server application.\u003c/li\u003e\n\u003cli\u003eThe JVM experiences a critical \u003ccode\u003eOutOfMemoryError\u003c/code\u003e, leading to an abrupt termination of the server application.\u003c/li\u003e\n\u003cli\u003eThe application crash results in a Denial of Service (DoS), rendering the service unavailable to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-44891 leads directly to a Denial of Service (DoS) for affected applications. An attacker can easily exhaust the server's memory by sending a single, maliciously crafted STOMP message, causing the Java Virtual Machine (JVM) to encounter an \u003ccode\u003eOutOfMemoryError\u003c/code\u003e and crash the application. This renders the service completely unavailable to legitimate users, potentially causing significant operational disruption and financial losses depending on the nature and criticality of the affected system. While specific victim counts are not provided, any server exposing a STOMP endpoint built with the vulnerable \u003ccode\u003eStompSubframeDecoder\u003c/code\u003e is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003enetty-codec-stomp\u003c/code\u003e library to a patched version immediately to remediate CVE-2026-44891.\u003c/li\u003e\n\u003cli\u003eReview network traffic logs for STOMP \u003ccode\u003eCONNECT\u003c/code\u003e messages that contain an unusually high number of headers or exhibit rapid increases in payload size, indicative of attempts to exploit CVE-2026-44891.\u003c/li\u003e\n\u003cli\u003eMonitor Java Virtual Machine (JVM) memory usage and application logs for \u003ccode\u003eOutOfMemoryError\u003c/code\u003e exceptions that may indicate a successful denial of service attack related to CVE-2026-44891.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:38:25Z","date_published":"2026-07-14T20:38:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-netty-dos/","summary":"A high-severity denial of service vulnerability, identified as CVE-2026-44891, exists in the `StompSubframeDecoder` component of Netty's `netty-codec-stomp` library, allowing an unauthenticated attacker to exhaust server memory and cause an `OutOfMemoryError` by sending a STOMP message with an excessive number of headers, leading to application crashes.","title":"Netty StompSubframeDecoder Denial of Service Vulnerability (CVE-2026-44891)","url":"https://feed.craftedsignal.io/briefs/2026-07-netty-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Netty-Codec-Stomp (4.2.x)","version":"https://jsonfeed.org/version/1.1"}