Suricata HTTP2 Continuation Frame Flooding Denial of Service (CVE-2026-31935)

hello@craftedsignal.io — Thu, 02 Apr 2026 15:16:37 +0000

CVE-2026-31935 describes a denial-of-service vulnerability affecting Suricata, a network IDS, IPS, and NSM engine. The vulnerability lies in the processing of HTTP2 continuation frames. Versions prior to 7.0.15 and 8.0.4 are susceptible to memory exhaustion when flooded with maliciously crafted HTTP2 continuation frames. This excessive memory consumption typically results in the operating system shutting down the Suricata process to prevent system instability. The vulnerability was reported and patched by the Open Information Security Foundation (OISF), the maintainers of Suricata, in versions 7.0.15 and 8.0.4. This vulnerability can be exploited by unauthenticated attackers from the network.

Attack Chain

The attacker identifies a vulnerable Suricata instance running a version prior to 7.0.15 or 8.0.4.
The attacker establishes an HTTP2 connection with the target Suricata instance.
The attacker crafts a series of malicious HTTP2 continuation frames.
The attacker floods the Suricata instance with these crafted continuation frames over the established HTTP2 connection.
The Suricata process attempts to allocate memory to process the excessive number of continuation frames.
Memory consumption rapidly increases as the vulnerable code fails to properly handle the flood of continuation frames.
The system reaches its memory limit, leading to resource exhaustion.
The operating system intervenes and terminates the Suricata process to prevent further system instability, resulting in a denial-of-service.

Impact

Successful exploitation of CVE-2026-31935 results in a denial-of-service condition, effectively disabling the Suricata instance’s ability to perform network intrusion detection and prevention. This can leave networks unprotected from malicious traffic. The vulnerability can be triggered remotely without authentication, making it a readily exploitable threat. The precise number of affected Suricata deployments is unknown, but organizations relying on Suricata for network security monitoring are potentially at risk.

Recommendation

Upgrade all Suricata installations to version 7.0.15 or 8.0.4 or later to patch CVE-2026-31935.
Deploy the Sigma rule “Detect Suspicious HTTP2 Continuation Frame Flooding” to monitor for potential exploitation attempts.
Monitor Suricata process health and resource consumption for unexpected spikes in memory usage that could indicate a denial-of-service attack.

Netty HTTP/2 CONTINUATION Frame Flood Denial of Service

hello@craftedsignal.io — Thu, 26 Mar 2026 18:51:14 +0000

The Netty HTTP/2 CONTINUATION Frame Flood vulnerability (CVE-2026-33871) allows a remote, unauthenticated user to trigger a Denial of Service (DoS) condition on a Netty-based HTTP/2 server. This is achieved by sending a flood of HTTP/2 CONTINUATION frames, each containing a zero-byte payload. The vulnerability exists because Netty’s DefaultHttp2FrameReader does not enforce a limit on the number of CONTINUATION frames it processes after receiving a HEADERS frame without the END_HEADERS flag. The zero-byte payload bypasses the maxHeaderListSize protection, as this protection is only triggered when the added payload has a non-zero length. This forces the server to consume excessive CPU resources, monopolizing a connection thread and rendering the server unresponsive to legitimate requests. This vulnerability impacts Netty versions prior to 4.1.132.Final and versions between 4.2.0.Alpha1 and 4.2.10.Final.

Attack Chain

The attacker establishes a TCP connection to the targeted Netty HTTP/2 server.
The attacker sends an HTTP/2 HEADERS frame to initiate a new stream. The END_HEADERS flag is deliberately omitted from this frame.
The server, upon receiving the HEADERS frame without the END_HEADERS flag, prepares to receive subsequent CONTINUATION frames.
The attacker floods the server with a series of CONTINUATION frames, each containing a zero-byte payload. These frames are sent over the established TCP connection.
The DefaultHttp2FrameReader processes each CONTINUATION frame, but the verifyContinuationFrame() method fails to enforce a limit on the number of received frames.
The HeadersBlockBuilder.addFragment() method processes the zero-byte payload, bypassing the maxHeaderListSize protection. The server CPU continues to process the stream of CONTINUATION frames.
The server exhausts CPU resources on the connection thread, as it is continuously processing the flood of CONTINUATION frames.
Legitimate users are unable to connect to the server or experience significant delays due to the server’s unresponsiveness. This leads to a denial of service.

Impact

This vulnerability leads to a CPU-based Denial of Service (DoS). All services using the vulnerable Netty HTTP/2 server implementation are susceptible. An unauthenticated attacker can exhaust server CPU resources, preventing legitimate users from accessing the service. The minimal bandwidth requirement for this attack makes it practical and scalable, allowing an attacker to disrupt services with limited resources. Successful exploitation results in service unavailability, impacting business operations and user experience.

Recommendation

Upgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to patch CVE-2026-33871.
Implement rate limiting on HTTP/2 CONTINUATION frames to mitigate the impact of a flood attack. Consider implementing this at the application level if upgrading Netty is not immediately feasible.
Monitor CPU usage on servers running Netty HTTP/2 services. Alert on sustained high CPU usage, which may indicate an ongoing attack.
Deploy the Sigma rules provided in this brief to detect potential exploitation attempts in your environment.

Http2 — CraftedSignal Threat Feed

Suricata HTTP2 Continuation Frame Flooding Denial of Service (CVE-2026-31935)

Attack Chain

Impact

Recommendation

Netty HTTP/2 CONTINUATION Frame Flood Denial of Service

Attack Chain

Impact

Recommendation