CVE-2026-33871: Netty HTTP/2 Codec Vulnerability Exposes Systems to Resource Exhaustion

A critical vulnerability in a widely used Java networking library creates a direct path for denial-of-service attacks. Tracked as CVE-2026-33871, the flaw resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.130.Final. The core weakness is classified as CWE-770: Allocation of Resources Without Limits or Throttling. This means the library fails to properly constrain resource consumption when handling HTTP/2 traffic, allowing a malicious actor to send crafted requests that could exhaust server memory or CPU, leading to service instability or complete unavailability.

The vulnerability affects the Netty project, a foundational asynchronous event-driven network application framework used by countless Java applications for high-performance networking. The specific component, `netty-codec-http2`, is responsible for encoding and decoding the HTTP/2 protocol. The absence of built-in throttling or limits in this codec makes any service using this version potentially vulnerable to resource exhaustion attacks. Official advisories have been published by GitHub, the National Vulnerability Database (NVD), and Sonatype's OSS Index, confirming the severity and providing technical references for developers and security teams.

This flaw represents a significant supply chain risk. Given Netty's pervasive use in microservices, web servers, and large-scale distributed systems (including within major tech companies), the potential impact is broad. Organizations relying on this library version must prioritize patching or implementing workarounds. The vulnerability does not require authentication to exploit, making exposed endpoints particularly susceptible. Security teams should immediately inventory their dependencies, assess exposure, and apply the official fix released by the Netty maintainers to mitigate the risk of disruptive denial-of-service incidents.