CVE-2026-33871: Netty HTTP/2 Codec Vulnerability Exposes Systems to Resource Exhaustion

A critical vulnerability in a widely-used Java networking library opens systems to potential denial-of-service attacks. The flaw, tracked as CVE-2026-33871, resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.130.Final. It is classified under CWE-770, indicating an "Allocation of Resources Without Limits or Throttling." This means the library fails to properly restrict resource consumption when handling HTTP/2 traffic, allowing a malicious actor to send crafted requests that could exhaust server memory or CPU, leading to service degradation or complete unavailability.

The vulnerability affects the test scope (`:test`) of the specified Netty artifact. Netty is a foundational asynchronous event-driven network application framework used by countless Java applications for high-performance networking. The HTTP/2 codec is a core component for modern web communication. The issue's presence in a test dependency, while potentially limiting immediate runtime impact in production, still poses a significant risk during development, testing, and CI/CD pipelines where the vulnerable artifact is resolved. It also signals a potential weakness in the library's resource management logic that could have broader implications.

Security researchers and maintainers have published advisories through major channels including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA-w9fj-cfpg-grvv), and Sonatype's OSS Index. Organizations using Netty, particularly those leveraging HTTP/2, must scrutinize their dependency trees to identify if the vulnerable version is present. The lack of resource throttling is a classic vector for stability attacks, and while no active exploitation is confirmed, the public disclosure places pressure on development teams to assess their exposure, update dependencies, and review their application's resilience against resource exhaustion scenarios.