Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1353-1 advisory.

    Upidate to 4.1.132:

    - CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling     (bsc#1261031).
    - CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043).

    Changelog:

    - Upgrade to upstream version 4.1.132
     * Fixes:
     + Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR      retry loop      + Make RefCntOpenSslContext.deallocate more robust      + HTTP2: Correctly account for padding when decompress      + Fix high-order bit aliasing in HttpUtil.validateToken      + fix: the precedence of + is higher than >>      + AdaptiveByteBufAllocator: make sure byteBuf.capacity() not      greater than byteBuf.maxCapacity()      + AdaptivePoolingAllocator: call unreserveMatchingBuddy(...)      if byteBuf initialization failed      + Don't assume CertificateFactory is thread-safe      + Fix HttpObjectAggregator leaving connection stuck after 413      with AUTO_READ=false      + HTTP2: Ensure preface is flushed in all cases      + Fix UnsupportedOperationException in readTrailingHeaders      + Fix client_max_window_bits parameter handling in      permessage-deflate extension      + Native transports: Fix possible fd leak when fcntl fails.
     + Kqueue: Fix undefined behaviour when GetStringUTFChars fails      and SO_ACCEPTFILTER is supported      + Kqueue: Possible overflow when using      netty_kqueue_bsdsocket_setAcceptFilter(...)      + Native transports: Fix undefined behaviour when      GetStringUTFChars fails while open FD      + Epoll: Add null checks for safety reasons      + Epoll: Use correct value to initialize mmsghdr.msg_namelen      + Epoll: Fix support for IP_RECVORIGDSTADDR      + AdaptivePoolingAllocator: remove ensureAccessible() call in      capacity(int) method      + Epoll: setTcpMg5Sig(...) might overflow      + JdkZlibDecoder: accumulate decompressed output before firing      channelRead      + Limit the number of Continuation frames per HTTP2 Headers      (bsc#1261043, CVE-2026-33871)      + Stricter HTTP/1.1 chunk extension parsing (bsc#1261031,      CVE-2026-33870)      + rediff
    - Upgrade to upstream version 4.1.131      + NioDatagramChannel.block(...) does not early return on failure      + Support for AWS Libcrypto (AWS-LC) netty-tcnative build      + codec-dns: Decompress MX RDATA exchange domain names during      DNS record decoding      + Buddy allocation for large buffers in adaptive allocator      + SslHandler: Only resume on EventLoop if EventLoop is not      shutting down already      + Wrap ECONNREFUSED in PortUnreachableException for UDP      + Bump com.ning:compress-lzf (4.1)      + Fix adaptive allocator bug from not noticing failed allocation      + Avoid loosing original read exception      + Backport multiple adaptive allocator changes
    - Upgrade to version 4.1.130
    - Upgrade to version 2.0.75 Final
     * No formal changelog present
     * Needed by netty >= 4.2.11

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final     and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by     sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION`     frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user     to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions     4.1.132.Final and 4.2.10.Final fix the issue. (CVE-2026-33871)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
306709	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2026:1353-1)	Nessus	SuSE Local Security Checks	high
304170	Linux Distros Unpatched Vulnerability : CVE-2026-33871	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33871

high

Tenable Plugins

high

high