Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

The version of HCL BigFix Remote Control running on the remote host is 10.1.0.0442 or earlier. It is, therefore, affected by multiple vulnerabilities:

  - A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions     10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass     intended security restrictions and load unauthorized resources. (CVE-2026-21785)

  - Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling     request smuggling attacks. (CVE-2026-33870)

  - Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final     and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by     sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames,     combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause     excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. (CVE-2026-33871)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18054 advisory.

    Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly     application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.1.6 serves as a     replacement for Red Hat JBoss Enterprise Application Platform 8.1.5, and includes bug fixes and     enhancements. See the Red Hat JBoss Enterprise Application Platform 8.1.6 Release Notes for information     about the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

    *bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly     (CVE-2025-14813)

    * bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion     (CVE-2026-3505)

    * bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid     (CVE-2026-5588)

    * bcprov-ext-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)

    * bcprov-jdk12: private key leakage via non-constant time comparisons (CVE-2026-5598)

    * netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

    * netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding     extension values (CVE-2026-33870)

    * artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to     missing authentication (CVE-2026-27446)

    * org.hibernate.orm/hibernate-c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects     [(CVE-2026-27830)

    * org.keycloak-keycloak-parent: Minimatch: Denial of Service via catastrophic backtracking in glob     expressions (CVE-2026-27904)

    * mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted     objects (CVE-2026-27727)

    * io.hawt-project: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

    * wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI  (CVE-2025-23368)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18055 advisory.

    Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly     application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.1.6 serves as a     replacement for Red Hat JBoss Enterprise Application Platform 8.1.5, and includes bug fixes and     enhancements. See the Red Hat JBoss Enterprise Application Platform 8.1.6 Release Notes for information     about the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

    *bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly     (CVE-2025-14813)

    * bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion     (CVE-2026-3505)

    * bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid     (CVE-2026-5588)

    * bcprov-ext-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)
    * bcprov-jdk12: private key leakage via non-constant time comparisons (CVE-2026-5598)

    * netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

    * netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding     extension values (CVE-2026-33870)

    * artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to     missing authentication (CVE-2026-27446)

    * org.hibernate.orm/hibernate-c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects     (CVE-2026-27830)

    * org.keycloak-keycloak-parent: Minimatch: Denial of Service via catastrophic backtracking in glob     expressions (CVE-2026-27904)

    * mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted     objects (CVE-2026-27727)

    * io.hawt-project: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

    * wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI (CVE-2025-23368)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Bamboo installed on the remote host is 9.6.x prior to 9.6.25, 10.x prior to 10.2.18, or 11.x prior to 12.1.6. It is, therefore, affected by multiple vulnerabilities:

  - An OS command injection vulnerability allows an authenticated attacker to execute commands on the remote system,     which has high impact to confidentiality, integrity, and availability. (CVE-2026-21571)

  - A denial of service (DoS) vulnerability in the io.netty:netty-codec-http2 dependency. A remote user can trigger     a DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames, causing excessive CPU consumption     with minimal bandwidth. (CVE-2026-33871)

  - An HTTP request smuggling vulnerability in the org.apache.tomcat:tomcat-catalina dependency via invalid chunk     extension. (CVE-2026-24880)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1353-1 advisory.

    Upidate to 4.1.132:

    - CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling     (bsc#1261031).
    - CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043).

    Changelog:

    - Upgrade to upstream version 4.1.132
     * Fixes:
     + Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR      retry loop      + Make RefCntOpenSslContext.deallocate more robust      + HTTP2: Correctly account for padding when decompress      + Fix high-order bit aliasing in HttpUtil.validateToken      + fix: the precedence of + is higher than >>      + AdaptiveByteBufAllocator: make sure byteBuf.capacity() not      greater than byteBuf.maxCapacity()      + AdaptivePoolingAllocator: call unreserveMatchingBuddy(...)      if byteBuf initialization failed      + Don't assume CertificateFactory is thread-safe      + Fix HttpObjectAggregator leaving connection stuck after 413      with AUTO_READ=false      + HTTP2: Ensure preface is flushed in all cases      + Fix UnsupportedOperationException in readTrailingHeaders      + Fix client_max_window_bits parameter handling in      permessage-deflate extension      + Native transports: Fix possible fd leak when fcntl fails.
     + Kqueue: Fix undefined behaviour when GetStringUTFChars fails      and SO_ACCEPTFILTER is supported      + Kqueue: Possible overflow when using      netty_kqueue_bsdsocket_setAcceptFilter(...)      + Native transports: Fix undefined behaviour when      GetStringUTFChars fails while open FD      + Epoll: Add null checks for safety reasons      + Epoll: Use correct value to initialize mmsghdr.msg_namelen      + Epoll: Fix support for IP_RECVORIGDSTADDR      + AdaptivePoolingAllocator: remove ensureAccessible() call in      capacity(int) method      + Epoll: setTcpMg5Sig(...) might overflow      + JdkZlibDecoder: accumulate decompressed output before firing      channelRead      + Limit the number of Continuation frames per HTTP2 Headers      (bsc#1261043, CVE-2026-33871)      + Stricter HTTP/1.1 chunk extension parsing (bsc#1261031,      CVE-2026-33870)      + rediff
    - Upgrade to upstream version 4.1.131      + NioDatagramChannel.block(...) does not early return on failure      + Support for AWS Libcrypto (AWS-LC) netty-tcnative build      + codec-dns: Decompress MX RDATA exchange domain names during      DNS record decoding      + Buddy allocation for large buffers in adaptive allocator      + SslHandler: Only resume on EventLoop if EventLoop is not      shutting down already      + Wrap ECONNREFUSED in PortUnreachableException for UDP      + Bump com.ning:compress-lzf (4.1)      + Fix adaptive allocator bug from not noticing failed allocation      + Avoid loosing original read exception      + Backport multiple adaptive allocator changes
    - Upgrade to version 4.1.130
    - Upgrade to version 2.0.75 Final
     * No formal changelog present
     * Needed by netty >= 4.2.11

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final     and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by     sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION`     frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user     to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions     4.1.132.Final and 4.2.10.Final fix the issue. (CVE-2026-33871)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
318683	HCL BigFix Remote Control <= 10.1.0.0442 Multiple Vulnerabilities	Nessus	CGI abuses	high
315192	RHEL 8 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18054)	Nessus	Red Hat Local Security Checks	critical
315188	RHEL 9 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18055)	Nessus	Red Hat Local Security Checks	critical
311429	Atlassian Bamboo 9.6.x < 9.6.25 / 10.x < 10.2.18 / 11.x < 12.1.6 Multiple Vulnerabilities	Nessus	CGI abuses	critical
306709	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2026:1353-1)	Nessus	SuSE Local Security Checks	high
304170	Linux Distros Unpatched Vulnerability : CVE-2026-33871	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33871

high

Tenable Plugins

high

critical

critical

critical

high

high