CVE-2026-50560: Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Published Jun 12, 2026
·
Updated

Summary

Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset.

Details

There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is prepared to accept, in units of octets.”

When a client sends that setting to Netty, it appears that Netty will behave as follows:

- Read the request - Proxy the request to the origin - Attempt to produce a response - Create an exception while writing the headers for the response

Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature.

Remediation

When speaking with clients, Netty should potentially treat this as “advisory” and ignore it. It would be best to ignore the SETTINGSMAXHEADERLISTSIZE setting from clients (or ignore it when sending to clients). According to the spec, a server does not need to honor this advisory setting, and it appears that other http/2 implementations ignore it when acting as a server.

Impact

This is a DDoS attack similar to the HTTP/2 Rapid Reset Attack.

Credit Jonathan Looney (Engineering, Netflix)

Contact Ashley Tolbert (Security, Netflix) - artolbert@netflix.com

Other sources

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

MITRE

Affected Software

5 affected componentsFixes available
Netty Netty<4.1.135.Final, <4.2.15.Final
Netty Netty<4.1.135
Netty Netty>=4.2.0<4.2.15
maven/io.netty:netty-codec-http2<=4.1.134.Final
4.1.135.Final
maven/io.netty:netty-codec-http2>=4.2.0.Final<=4.2.14.Final
4.2.15.Final

Event History

Jun 12, 2026
CVE Published
via MITRE·02:59 PM
Data Sourced
via MITRE·02:59 PM
DescriptionWeakness
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeaknessAffected Software
Jun 15, 2026
Advisory Published
via GitHub·08:46 PM
Data Sourced
via GitHub·08:46 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-50560?

The severity of CVE-2026-50560 is medium with a CVSS score of 6.9.

2

How do I fix CVE-2026-50560?

To fix CVE-2026-50560, upgrade to Netty versions 4.1.135.Final or 4.2.15.Final or later.

3

What kind of attack does CVE-2026-50560 expose my application to?

CVE-2026-50560 exposes applications to an HTTP/2 Reset Attack due to improper handling of max header sizes.

4

Which software is affected by CVE-2026-50560?

CVE-2026-50560 affects the Netty network application framework for developing protocol servers and clients.

5

When was CVE-2026-50560 published?

CVE-2026-50560 was published on June 12, 2026.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203