{"vulnerability": "CVE-2026-50560", "sightings": [{"uuid": "28fcf258-472b-4e7b-8015-9adcda26e326", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50560", "type": "seen", "source": "https://gist.github.com/alon710/b74444b3a1d431dd08f4a234b8c8a8c9", "content": "# CVE-2026-50560: CVE-2026-50560: Denial of Service in Netty HTTP/2 Codec via Max Header List Size Exception\n\n> **CVSS Score:** 6.9\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-50560\n\n## Summary\nCVE-2026-50560 describes a vulnerability in Netty's HTTP/2 codec implementation. When acting as an intermediary (such as a reverse proxy, API gateway, or edge server), Netty can be forced into an application-level Denial-of-Service condition. The attack is triggered by negotiating a restrictive SETTINGS_MAX_HEADER_LIST_SIZE from the client, causing Netty to process incoming requests fully, but subsequently crash or abort during outbound response serialization. This results in an asymmetrical consumption of resources on backend systems and thread starvation within the Netty event loop.\n\n## TL;DR\nAn unauthenticated remote attacker can cause a Denial-of-Service condition in Netty-based HTTP/2 servers by negotiating a very low max header list size. This forces server-side exceptions and stream resets during outbound serialization, evading standard client-driven reset detection mechanics.\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (Remote)\n- **CVSS v4.0 Score**: 6.9 (Medium)\n- **EPSS Score**: 0.00302\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Netty HTTP/2 Gateway Servers\n- Netty-based Reverse Proxies\n- Java applications utilizing netty-codec-http2\n- **Netty**: >= 4.1.0.Final, < 4.1.135.Final (Fixed in: `4.1.135.Final`)\n- **Netty**: >= 4.2.0.Final, < 4.2.15.Final (Fixed in: `4.2.15.Final`)\n\n## Mitigation\n\n- Upgrade Netty library dependencies to version 4.1.135.Final or 4.2.15.Final.\n- Configure fronting reverse proxies to enforce a minimum settable limit on SETTINGS_MAX_HEADER_LIST_SIZE.\n- Apply strict connection and concurrency rate limits at the perimeter to limit the volume of pipelined streams from a single source.\n\n**Remediation Steps:**\n1. Identify all projects and microservices using Netty by running a dependency tree check.\n2. Update Maven pom.xml or Gradle build.gradle files to reference Netty version 4.1.135.Final or 4.2.15.Final.\n3. Rebuild and redeploy the affected services to production.\n4. Monitor application log files for HTTP/2 write or serialization exceptions to verify remediation success.\n\n## References\n\n- [Netty Security Advisory GHSA-563q-j3cm-6jxm](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm)\n- [Netty 4.1.135.Final Release](https://github.com/netty/netty/releases/tag/netty-4.1.135.Final)\n- [Netty 4.2.15.Final Release](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final)\n- [RFC 9113 HTTP/2 Defined Settings](https://www.rfc-editor.org/rfc/rfc9113.html#name-defined-settings)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-50560) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T22:11:13.000000Z"}]}