
PEACH
Un cadre d’isolation des locataires
CVE-2026-44891 is a Denial of Service vulnerability in Netty's StompSubframeDecoder caused by unbounded header accumulation in STOMP frames. The io.netty:netty-codec-stomp Maven package is affected across versions >= 4.2.0.Alpha1 through <= 4.2.15.Final and all versions <= 4.1.135.Final. The vulnerability was published on July 14, 2026, by Netty maintainer normanmaurer and credited to reporter violetagg. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Netty Advisory).
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). While StompSubframeDecoder enforces a maxLineLength parameter to restrict the length of individual header lines, it imposes no limit on the total number of headers or their cumulative size within a single STOMP frame. An unauthenticated attacker can send a TCP connection carrying a STOMP frame with an arbitrarily large number of short headers (e.g., a:1\n), which are continuously accumulated in memory within DefaultStompHeadersSubframe until the JVM throws an OutOfMemoryError. No authentication or special privileges are required; any network-accessible STOMP endpoint using this decoder is exploitable (GitHub Advisory, Netty Advisory).
Successful exploitation causes a JVM OutOfMemoryError that crashes the affected Netty-based service, resulting in a complete loss of availability. There is no impact on confidentiality or data integrity — the attack is purely a Denial of Service. Any application exposing a STOMP endpoint via Netty's StompSubframeDecoder is vulnerable, and a single malicious connection is sufficient to exhaust server memory and take the service offline (GitHub Advisory).
StompSubframeDecoder using network scanning tools such as Nmap or Shodan.new Socket("<target>", <port>)).CONNECT\n, to begin the STOMP handshake.a:1\n) to the output stream — the advisory PoC sends 1,000 headers per batch for 50,000 iterations, totaling 50 million headers.DefaultStompHeadersSubframe without any limit, exhausting JVM heap memory and causing an OutOfMemoryError that crashes the service (GitHub Advisory, Netty Advisory).\0).java.lang.OutOfMemoryError: Java heap space originating from Netty's STOMP codec stack; repeated log entries from io.netty.handler.codec.stomp.StompSubframeDecoder.java_pid*.hprof) generated in the working directory indicating OOM conditions.Netty has released patched versions 4.2.16.Final and 4.1.136.Final for the io.netty:netty-codec-stomp package, which implement limits on the total number of headers and their cumulative size per STOMP frame. Users should upgrade to these versions immediately. As a temporary workaround, operators can implement external rate limiting or connection-level restrictions (e.g., via a reverse proxy or firewall) to limit the volume of data a single client can send to the STOMP endpoint within a time window (GitHub Advisory, Netty Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."