CVE-2026-33871: Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass

March 26, 2026 (updated March 27, 2026)

A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server’s lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive.

References

github.com/advisories/GHSA-w9fj-cfpg-grvv
github.com/netty/netty
github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv
nvd.nist.gov/vuln/detail/CVE-2026-33871

Code Behaviors & Features

Detect and mitigate CVE-2026-33871 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →