{
  "threat_severity" : "Moderate",
  "public_date" : "2026-06-12T14:23:50Z",
  "bugzilla" : {
    "description" : "netty-codec-http2: Netty: Denial of Service via uncontrolled HTTP/2 concurrent streams",
    "id" : "2488399",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2488399"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.", "A flaw was found in Netty, a network application framework. A remote attacker can exploit this vulnerability by sending a large number of HTTP/2 stream requests to a Netty HTTP/2 server. If the server does not explicitly limit concurrent streams, it can lead to the allocation of numerous long-lived stream objects. This excessive resource consumption can result in a denial of service (DoS), making the server unavailable to legitimate users." ],
  "statement" : "This Moderate impact flaw in Netty's HTTP/2 implementation can lead to a denial of service in Red Hat products that utilize Netty as an HTTP/2 server without explicitly configured limits on concurrent streams. An attacker can exhaust server resources by initiating numerous HTTP/2 stream requests, rendering the service unavailable. The impact is limited to denial of service and requires a specific server configuration to be exploitable.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Quarkus 3.27.4.SP1",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26018",
    "cpe" : "cpe:/a:redhat:quarkus:3.27::el8",
    "package" : "netty-codec-http2"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.33.2.SP1",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26017",
    "cpe" : "cpe:/a:redhat:quarkus:3.33::el8",
    "package" : "netty-codec-http2"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 4",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "rhbk/keycloak-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "rhbk/keycloak-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "rhbk-rhel9-operator/rhbk-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "bazel6",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "bazel7",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "bazel8",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-modelmesh-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-spark-operator-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-th06-cpu-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-th06-cpu-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-th06-cuda130-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-trustyai-service-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/jetbrains-ide-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/multicluster-redirector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/openvsx-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/pluginregistry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Not affected",
    "package_name" : "devspaces/server-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Fix deferred",
    "package_name" : "netty-codec-http2",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-47244\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47244\nhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final\nhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final\nhttps://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q" ],
  "name" : "CVE-2026-47244",
  "mitigation" : {
    "value" : "Configure affected applications using Netty HTTP/2 servers to explicitly set a maximum concurrent streams limit. Consult product-specific documentation for instructions on how to apply this configuration. Additionally, restrict network access to affected services to trusted clients and networks by implementing firewall rules or other network access controls. This may impact legitimate traffic if not carefully configured.",
    "lang" : "en:us"
  },
  "csaw" : false
}