Netty HTTP/2 Zero-Byte Frame Bypass Exposes Servers to DoS Flood (CVE-2026-33871)

A critical vulnerability in the widely-used Netty networking framework exposes HTTP/2 servers to a potent denial-of-service (DoS) attack. Tracked as CVE-2026-33871, the flaw allows a remote attacker to trigger a service outage by flooding a server with specially crafted CONTINUATION frames. The attack exploits a bypass in the frame validation logic, enabling an attacker to send a flood of zero-byte frames that can overwhelm and crash the target system.

The vulnerability resides in the `io.netty:netty-codec-http2` library, a core component for building high-performance network applications in Java. The security advisory (GHSA-w9fj-cfpg-grvv) details that the issue is a bypass of existing protections against CONTINUATION frame floods. This means servers that were previously considered protected against such attacks are now vulnerable again through this new vector. The patch, released in version 4.2.11.Final, fixes the validation logic to properly reject the malicious zero-byte frame sequences.

The impact is broad, as Netty is foundational to countless enterprise Java applications, microservices, and major web platforms. Any service using an unpatched version (4.2.10.Final or earlier) of the `netty-codec-http2` dependency is at risk of being taken offline by a relatively simple remote attack. This vulnerability underscores the persistent threat landscape for core networking libraries and creates immediate pressure on development and security teams to audit dependencies and apply the security update before exploits become widespread.