CVE-2026-50560

UNKNOWN 0.0

Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

5th

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CWE	CWE-770
Vendor	netty
Product	netty
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for netty netty

Be the first to know when new unknown vulnerabilities affecting netty netty are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

netty / netty

>= 4.2.0.Final, < 4.2.15.Final < 4.1.135.Final

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm github.com: https://github.com/netty/netty/releases/tag/netty-4.1.135.Final github.com: https://github.com/netty/netty/releases/tag/netty-4.2.15.Final rfc-editor.org: https://www.rfc-editor.org/rfc/rfc9113.html#name-defined-settings