Bug 2452456 (CVE-2026-33871)

Summary: CVE-2026-33871 netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, anthomas, ant, aprice, aschwart, asoldano, ataylor, avibelli, bbaranow, bbrownin, bgeorges, bmaxwell, boliveir, bstansbe, caswilli, ccranfor, cescoffi, chfoley, cmah, dandread, dbruscin, dhanak, dkreling, dlofthou, drosa, dsimansk, eaguilar, ebaron, ehelms, ewittman, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jcantril, jkoehler, jmartisk, jnethert, jolong, jpechane, jrokos, jsamir, juwatts, kaycoth, kgaikwad, kingland, kvanderr, kverlaen, lphiri, lthon, manderse, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, oezr, olubyans, osousa, pantinor, parichar, pberan, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rexwhite, rgodfrey, rguimara, rkubis, rmartinc, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, thjenkin, tmalecek, tqvarnst, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2453262, 2453263    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-27 21:02:36 UTC 
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.