Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Summary Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset. Details There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is...

UBUNTU-CVE-2026-47244

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts...

CVE-2026-47244 Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts...

EUVD-2026-36455

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts...

GHSA-5X3R-WRVG-RP6Q Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced

Impact DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts SETTINGSMAXCONCURRENTSTREAMS by default Http2Settings.java:305-307 only clamps a user-supplied value. Unless the application explicitly calls...

Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced

Impact DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts SETTINGSMAXCONCURRENTSTREAMS by default Http2Settings.java:305-307 only clamps a user-supplied value. Unless the application explicitly calls...

PT-2026-47612

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final Description In the network application framework, DefaultHttp2Connection.DefaultEndpoint initializes maxActiveStreams and maxStreams to Integer.MAX VALUE, while...

Exploit for Uncontrolled Resource Consumption in Siemens Simatic_S7-1500_Cpu_1518F-4_Pn\/Dp_Mfp_Firmware

CVE-2023-44487 — HTTP/2 Rapid Reset Test Lab Educational envi...

Astra Linux – Vulnerability in Apache2

When an HTTP/2 stream is reset by a client via an RST frame, there is a time window during which the memory resources associated with the request are not immediately reclaimed. Instead, the deallocation of these resources is delayed until after the connection is closed. This allows clients to...

Exploit for Uncontrolled Resource Consumption in Ietf Http

!/usr/bin/env python3 """ Evidencia CVE-2023-44487 HTTP/2 Rapi...

golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

Security update for tomcat

This update for tomcat fixes the following issues: Update to Tomcat 9.0.115: CVE-2025-48989: HTTP/2 protocol including DNS over HTTPS is vulnerable to "MadeYouReset" DoS attack bsc1243895. CVE-2025-52434: race condition on connection close when using the APR/Native connector could lead to a JVM...

Exploit for Uncontrolled Resource Consumption in Ietf Http

Exploit-Title-HTTP-2-2.0---Denial-Of-Service-DOS-...

MiracleLinux 9 : nghttp2-1.43.0-5.el9.1 (AXSA:2023-6518:02)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6518:02 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 7 : rh-nginx120-nginx-1.20.1-1.0.2.el7.AXS7 (AXSA:2023-6580:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6580:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 7 : httpd24-nghttp2-1.7.1-11.0.1.el7 (AXSA:2024-7351:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7351:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 8 : dotnet6.0-6.0.123-1.el8.ML.1 (AXSA:2023-6511:24)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6511:24 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 9 : golang-1.19.13-1.el9, go-toolset-1.19.13-1.el9 (AXSA:2023-6512:05)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6512:05 advisory. golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 HTTP/2: Multiple HTTP/2 enabled web server...

MiracleLinux 9 : grafana-9.0.9-4.el9.ML.1 (AXSA:2023-6532:09)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-6532:09 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 golang: net/http, x/net/http2: rapid...

MiracleLinux 9 : nginx-1.20.1-14.el9.1.ML.1 (AXSA:2023-6549:04)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6549:04 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...