CVE-2026-44241 Overview
CVE-2026-44241 affects the Micronaut Framework, a JVM-based full stack Java framework for building modular applications. The flaw exists in TimeConverterRegistrar, which caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed on the @Format annotation pattern combined with the HTTP Accept-Language locale. An unauthenticated remote attacker can submit requests with novel BCP 47 locale tags to grow the cache without limit, exhausting heap memory and crashing the JVM. The issue impacts Micronaut Framework versions 4.3.0 through 4.10.21 and is fixed in 4.10.22. The weakness is classified as Uncontrolled Resource Consumption [CWE-400].
Critical Impact
Unauthenticated attackers can crash Micronaut-based applications by triggering memory exhaustion through crafted Accept-Language headers.
Affected Products
- Micronaut Framework 4.3.0 through 4.10.21
- Java applications using TimeConverterRegistrar with @Format annotations
- HTTP endpoints that bind locale-aware date or time parameters
Discovery Timeline
- 2026-05-12 - CVE-2026-44241 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44241
Vulnerability Analysis
The vulnerability is an Uncontrolled Resource Consumption flaw in Micronaut's time conversion logic. TimeConverterRegistrar builds and caches a DateTimeFormatter for each unique combination of format pattern and locale. The cache is a ConcurrentHashMap<String, DateTimeFormatter> with no eviction policy or size bound. Cache keys derive directly from attacker-controlled input in the HTTP Accept-Language header, allowing remote callers to insert entries indefinitely.
Root Cause
The root cause is the use of Locale.forLanguageTag() for cache key derivation without input normalization. The method accepts arbitrary BCP 47 private-use extensions such as en-x-a001, en-x-a002, and similar variants. Each unique tag produces a distinct Locale object and therefore a distinct cache key. The map never evicts entries, so memory grows linearly with request volume.
Attack Vector
An unauthenticated attacker sends HTTP requests to any endpoint that exercises a @Format-annotated date or time parameter. Each request carries a unique Accept-Language value using private-use subtags. The server inserts a new DateTimeFormatter instance into the cache for every distinct tag. Sustained traffic exhausts JVM heap memory, producing OutOfMemoryError conditions and process termination. No authentication, privileges, or user interaction are required.
The vulnerability is described in prose without exploitation code. Refer to the GitHub Security Advisory GHSA-8hjv-92q9-g4xj for additional technical context.
Detection Methods for CVE-2026-44241
Indicators of Compromise
- HTTP requests containing unusual Accept-Language headers with private-use BCP 47 extensions such as en-x-a001, en-x-a002, or other random subtags
- High volume of distinct Accept-Language values from a single source or small set of source IPs
- Java Virtual Machine (JVM) heap utilization trending upward without corresponding business traffic growth
- Application logs reporting java.lang.OutOfMemoryError: Java heap space followed by service restarts
Detection Strategies
- Inspect web access logs for Accept-Language header entropy and flag clients sending many unique locale tags within short time windows
- Monitor JVM heap occupancy and full garbage collection frequency on Micronaut applications and alert on sustained growth
- Correlate HTTP request rates with heap metrics to identify low-bandwidth attacks producing disproportionate memory pressure
Monitoring Recommendations
- Export JVM metrics through Micrometer or JMX and track jvm.memory.used against baselines
- Enable structured access logging that captures the Accept-Language header for forensic review
- Configure web application firewall (WAF) rules to count distinct Accept-Language values per source and alert on anomalies
How to Mitigate CVE-2026-44241
Immediate Actions Required
- Upgrade Micronaut Framework to version 4.10.22 or later across all affected services
- Inventory applications using @Format annotations and verify they consume the patched dependency
- Restart JVM processes after upgrade to clear any cache state accumulated before patching
Patch Information
The maintainers fixed CVE-2026-44241 in Micronaut Framework 4.10.22. The release notes are available at the GitHub Release v4.10.22 page. Detailed advisory information is published in the GitHub Security Advisory GHSA-8hjv-92q9-g4xj.
Workarounds
- Strip or normalize the Accept-Language header at an upstream reverse proxy before requests reach Micronaut
- Reject Accept-Language values containing private-use extensions (-x- subtags) at the WAF layer
- Apply per-source rate limiting on endpoints that accept locale-aware date or time parameters
# Example nginx configuration to restrict Accept-Language values
map $http_accept_language $blocked_locale {
default 0;
"~*-x-" 1;
}
server {
if ($blocked_locale) {
return 400;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
