{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33871/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","http2","netty","cve-2026-33871"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Netty HTTP/2 CONTINUATION Frame Flood vulnerability (CVE-2026-33871) allows a remote, unauthenticated user to trigger a Denial of Service (DoS) condition on a Netty-based HTTP/2 server. This is achieved by sending a flood of HTTP/2 \u003ccode\u003eCONTINUATION\u003c/code\u003e frames, each containing a zero-byte payload. The vulnerability exists because Netty\u0026rsquo;s \u003ccode\u003eDefaultHttp2FrameReader\u003c/code\u003e does not enforce a limit on the number of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames it processes after receiving a \u003ccode\u003eHEADERS\u003c/code\u003e frame without the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag. The zero-byte payload bypasses the \u003ccode\u003emaxHeaderListSize\u003c/code\u003e protection, as this protection is only triggered when the added payload has a non-zero length. This forces the server to consume excessive CPU resources, monopolizing a connection thread and rendering the server unresponsive to legitimate requests. This vulnerability impacts Netty versions prior to 4.1.132.Final and versions between 4.2.0.Alpha1 and 4.2.10.Final.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the targeted Netty HTTP/2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP/2 \u003ccode\u003eHEADERS\u003c/code\u003e frame to initiate a new stream. The \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag is deliberately omitted from this frame.\u003c/li\u003e\n\u003cli\u003eThe server, upon receiving the \u003ccode\u003eHEADERS\u003c/code\u003e frame without the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag, prepares to receive subsequent \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe attacker floods the server with a series of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames, each containing a zero-byte payload. These frames are sent over the established TCP connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDefaultHttp2FrameReader\u003c/code\u003e processes each \u003ccode\u003eCONTINUATION\u003c/code\u003e frame, but the \u003ccode\u003everifyContinuationFrame()\u003c/code\u003e method fails to enforce a limit on the number of received frames.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHeadersBlockBuilder.addFragment()\u003c/code\u003e method processes the zero-byte payload, bypassing the \u003ccode\u003emaxHeaderListSize\u003c/code\u003e protection. The server CPU continues to process the stream of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe server exhausts CPU resources on the connection thread, as it is continuously processing the flood of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to connect to the server or experience significant delays due to the server\u0026rsquo;s unresponsiveness. This leads to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to a CPU-based Denial of Service (DoS). All services using the vulnerable Netty HTTP/2 server implementation are susceptible. An unauthenticated attacker can exhaust server CPU resources, preventing legitimate users from accessing the service. The minimal bandwidth requirement for this attack makes it practical and scalable, allowing an attacker to disrupt services with limited resources. Successful exploitation results in service unavailability, impacting business operations and user experience.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to patch CVE-2026-33871.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP/2 \u003ccode\u003eCONTINUATION\u003c/code\u003e frames to mitigate the impact of a flood attack. Consider implementing this at the application level if upgrading Netty is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage on servers running Netty HTTP/2 services. Alert on sustained high CPU usage, which may indicate an ongoing attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:51:14Z","date_published":"2026-03-26T18:51:14Z","id":"/briefs/2026-05-03-netty-http2-dos/","summary":"A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 \u003c 4.1.132.Final and netty-codec-http2 versions \u003e= 4.2.0.Alpha1 and \u003c 4.2.10.Final.","title":"Netty HTTP/2 CONTINUATION Frame Flood Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-03-netty-http2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33871","version":"https://jsonfeed.org/version/1.1"}