Main Vulnerability Database Vulnerabilities #VU133447

Resource exhaustion in Netty - CVE-2026-46340

Published: June 8, 2026

Vulnerability identifier: #VU133447

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-46340

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in SCTP message reassembly in netty-transport-sctp when processing non-complete SCTP message fragments. A remote attacker can send a sequence of tiny fragmented DATA chunks that never set the complete flag to cause a denial of service.

Each stream identifier maintains its own accumulator entry, and there is no limit on fragment depth, total buffered bytes, or the number of stream identifiers tracked.

How to mitigate CVE-2026-46340

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch

Resource exhaustion in Netty - CVE-2026-46340

Detailed vulnerability description

How to mitigate CVE-2026-46340

Sources

Please verify you're human