Micronaut Framework DoS Vulnerability (CVE-2026-44241) Risks Heap Exhaustion
The Micronaut Framework, a JVM-based full-stack Java framework, is susceptible to a denial-of-service (DoS) vulnerability tracked as CVE-2026-44241. According to the National Vulnerability Database, versions 4.3.0 through to 4.10.21 are affected. The flaw lies within the TimeConverterRegistrar, which caches DateTimeFormatter instances using an unbounded ConcurrentHashMap.
This cache’s key is derived from the @Format annotation pattern combined with the locale from the HTTP Accept-Language header. The National Vulnerability Database highlights that Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (e.g., en-x-a001). An unauthenticated attacker can exploit this by sending requests with novel locale tags, generating an unlimited number of unique cache keys. This rapidly expands the cache, ultimately exhausting heap memory and crashing the JVM.
With a CVSS score of 7.5 (HIGH), this unauthenticated DoS vulnerability presents a significant operational risk. Defenders must recognize that the attacker’s calculus here is straightforward: send specially crafted requests, induce memory exhaustion, and take the application offline. It’s a low-effort, high-impact attack that requires immediate mitigation.
What This Means For You
- If your organization utilizes the Micronaut Framework, you need to assess your exposure to CVE-2026-44241 immediately. Verify your Micronaut version and prioritize upgrading to 4.10.22 or later. This is a critical unauthenticated denial-of-service vulnerability that can crash your applications.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Micronaut Framework DoS via Locale Manipulation - CVE-2026-44241
title: Micronaut Framework DoS via Locale Manipulation - CVE-2026-44241
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects requests targeting Micronaut Framework applications that attempt to exploit CVE-2026-44241 by sending crafted 'Accept-Language' headers with BCP 47 private-use extensions. This can lead to heap exhaustion and denial of service by creating an unlimited number of unique cache keys for DateTimeFormatter instances.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44241/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'en-x-'
- 'fr-x-'
- 'de-x-'
- 'es-x-'
- 'zh-x-'
- 'ja-x-'
- 'ko-x-'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44241 | DoS | Micronaut Framework versions 4.3.0 to before 4.10.22 |
| CVE-2026-44241 | DoS | TimeConverterRegistrar component |
| CVE-2026-44241 | DoS | Unbounded ConcurrentHashMap |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...