{ "threat_severity" : "Important", "public_date" : "2026-03-27T19:55:23Z", "bugzilla" : { "description" : "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood", "id" : "2452456", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452456" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.", "A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage." ], "statement" : "This important vulnerability in Netty HTTP/2 servers allows a remote attacker to cause a Denial of Service by sending a flood of CONTINUATION frames. This can lead to excessive CPU consumption and render the server unresponsive. Red Hat products utilizing affected Netty versions, such as Red Hat AMQ, Enterprise Application Platform, and OpenShift Container Platform components, are impacted if configured to use HTTP/2.", "affected_release" : [ { "product_name" : "Red Hat AMQ Broker 7.14.0", "release_date" : "2026-04-16T00:00:00Z", "advisory" : "RHSA-2026:8509", "cpe" : "cpe:/a:redhat:amq_broker:7.14", "package" : "netty-codec-http" }, { "product_name" : "Red Hat AMQ Broker 7.14.0", "release_date" : "2026-04-16T00:00:00Z", "advisory" : "RHSA-2026:8509", "cpe" : "cpe:/a:redhat:amq_broker:7.14", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27", "release_date" : "2026-04-14T00:00:00Z", "advisory" : "RHSA-2026:8159", "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.27", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat build of Quarkus 3.20.6", "release_date" : "2026-04-14T00:00:00Z", "advisory" : "RHSA-2026:7109", "cpe" : "cpe:/a:redhat:quarkus:3.20::el8", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat build of Quarkus 3.27.3", "release_date" : "2026-04-14T00:00:00Z", "advisory" : "RHSA-2026:7380", "cpe" : "cpe:/a:redhat:quarkus:3.27::el8", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10184", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-modelmesh-rhel9:sha256:ef9eae46fb64606e5d943c1dbc30eddbad35e50a2e67062f4c1a98bea48da038" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3.27", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10175", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9", "package" : "devspaces/openvsx-rhel9:sha256:12650f16ec1d9a079736da2d7e7428c791ae9a105bc0237814b9a2edd9f9a0ae" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3.27", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10175", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9", "package" : "devspaces/pluginregistry-rhel9:sha256:27e30c7cede8d846cac4c623e84c6791a64b918136c5b781e9e885139fe237fb" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3.27", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10175", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9", "package" : "devspaces/server-rhel9:sha256:57b73c1ca124517557ba4b054c6367f0c045f588ec03a41e97184907562ca4e4" } ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Cryostat 4", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/elasticsearch6-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/elasticsearch-operator-bundle", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/elasticsearch-proxy-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/elasticsearch-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/logging-curator5-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Will not fix", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "bazel6", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "bazel7", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "bazel8", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "netty-codec-http2-4.1.100.Final.jar", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Affected", "package_name" : "netty-codec-http-4.1.100.Final.jar", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "netty-codec-http2-4.1.100.Final.jar", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2-4.1.128.Final-redhat-00001.jar", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "netty-codec-http-4.1.100.Final.jar", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "netty-codec-http-4.1.130.Final-redhat-00001.jar", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-modelmesh-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-trustyai-service-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-trustyai-service-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:amq_streams:3" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33871\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33871\nhttps://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv" ], "name" : "CVE-2026-33871", "csaw" : false }