Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-servicecwe-400
Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits

The National Vulnerability Database (NVD) reports a high-severity denial-of-service (DoS) vulnerability, CVE-2026-42587, affecting Netty, an asynchronous network application framework. The issue stems from HttpContentDecompressor and DelegatingDecompressorFrameListener (for HTTP/2), which are intended to limit decompression buffer sizes to prevent ‘decompression bomb’ attacks. While gzip and deflate encodings are properly constrained via ZlibDecoder, the NVD states that these limits are silently ignored for br (Brotli), zstd, or snappy content encodings.

Attackers can exploit this by sending a compressed payload using Content-Encoding: br instead of gzip. This bypasses the configured decompression limit, leading to unbounded memory allocation and ultimately an out-of-memory DoS condition. The NVD confirms this vulnerability is fixed in Netty versions 4.2.13.Final and 4.1.133.Final.

This isn’t theoretical; it’s a critical design flaw. An attacker doesn’t need complex exploits; they just need to know which compression algorithm to use. The CVSS score of 7.5 (High) reflects the network-exploitable nature (AV:N) with no privileges or user interaction required (PR:N, UI:N), leading directly to high availability impact (A:H). This is a textbook example of CWE-400, Uncontrolled Resource Consumption.

What This Means For You

  • If your applications rely on Netty for network communication, you are exposed to a denial-of-service attack. Check your Netty versions immediately. Any application using Netty prior to 4.2.13.Final or 4.1.133.Final is vulnerable. Prioritize patching to these versions or newer to prevent an attacker from easily taking your services offline.

Related ATT&CK Techniques

T1499 Endpoint Denial of Service Impact T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1499 Impact

CVE-2026-42587 - Netty Brotli Decompression Bomb DoS

Sigma YAML — free preview 
title: CVE-2026-42587 - Netty Brotli Decompression Bomb DoS
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-42587 by sending HTTP requests with 'Content-Encoding: br' to trigger an unbounded memory allocation and potential Denial of Service. This rule specifically looks for the Brotli encoding which bypasses decompression limits in affected Netty versions.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42587/
tags:
  - attack.impact
  - attack.t1499
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
          - 'PUT'
      cs-uri:
          - '/'
      cs-uri-query|contains:
          - 'Content-Encoding: br'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42587 DoS Netty framework versions prior to 4.2.13.Final and 4.1.133.Final
CVE-2026-42587 DoS HttpContentDecompressor component
CVE-2026-42587 DoS DelegatingDecompressorFrameListener component for HTTP/2 connections
CVE-2026-42587 DoS Bypass of maxAllocation limit with Content-Encoding: br (Brotli), zstd, or snappy

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma