CVE-2026-44242 Overview
CVE-2026-44242 affects the Micronaut Framework, a Java Virtual Machine (JVM) based full-stack framework for building modular applications. The vulnerability exists in versions prior to 4.10.22 within the bundleCache mechanism used by ResourceBundleMessageSource. The cache is keyed by (Locale, baseName), where the locale value comes directly from the HTTP Accept-Language header. An unauthenticated remote attacker can submit requests containing many unique Accept-Language values, each populating a new entry in an unbounded cache. This results in heap memory exhaustion and a denial-of-service condition. The flaw is tracked under [CWE-400: Uncontrolled Resource Consumption].
Critical Impact
Unauthenticated attackers can exhaust JVM heap memory in vulnerable Micronaut applications by sending crafted requests with varied Accept-Language headers, causing denial of service.
Affected Products
- Micronaut Framework versions prior to 4.10.22
- Applications explicitly registering a ResourceBundleMessageSource bean
- Micronaut applications serving HTML error responses
Discovery Timeline
- 2026-05-12 - CVE-2026-44242 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44242
Vulnerability Analysis
The vulnerability resides in the Micronaut Framework's internationalization (i18n) message resolution path. When an application registers a ResourceBundleMessageSource bean and renders HTML error responses, the framework looks up localized messages using the client-supplied locale. Each resolution attempt caches the result in bundleCache, a map keyed by the tuple (Locale, baseName). The cache has no size limit, no eviction policy, and no validation that the locale represents a meaningful language tag.
An attacker who controls the Accept-Language header controls the Locale portion of the cache key. By sending many requests with distinct synthetic locale strings, the attacker forces continuous cache growth. Because error response paths trigger the lookup, no authentication or valid application route is required. The CWE-400 classification reflects the uncontrolled growth of an internal data structure tied to attacker-controlled input.
Root Cause
The root cause is the absence of bounding controls on bundleCache. The cache trusts client-provided locale values as legitimate cache keys without normalization, allowlisting, or size limits. Every unique locale string consumes additional heap until the JVM throws OutOfMemoryError.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker sends HTTP requests to any endpoint that returns an HTML error response, varying the Accept-Language header on each request. No user interaction is needed. Successful exploitation degrades application availability and may crash the JVM process. Refer to the GitHub Security Advisory GHSA-3rfq-4wpf-qqw3 for additional technical context.
Detection Methods for CVE-2026-44242
Indicators of Compromise
- High volume of HTTP requests from a single source containing unusual or randomized Accept-Language header values.
- JVM heap usage growth correlated with inbound HTTP traffic, followed by OutOfMemoryError entries in application logs.
- Increased response latency or 5xx error rates on Micronaut endpoints serving HTML error pages.
Detection Strategies
- Inspect web access logs for requests where Accept-Language values are non-standard, excessively long, or unique per request.
- Correlate JVM garbage collection metrics and heap dumps showing large bundleCache retention against incoming request patterns.
- Deploy WAF rules to flag traffic where the cardinality of Accept-Language values exceeds expected baselines.
Monitoring Recommendations
- Track JVM heap utilization, GC frequency, and OutOfMemoryError events from Micronaut services.
- Monitor distinct Accept-Language header values per source IP and alert on anomalous diversity.
- Set alerts on HTTP error response rates from endpoints backed by ResourceBundleMessageSource.
How to Mitigate CVE-2026-44242
Immediate Actions Required
- Upgrade Micronaut Framework to version 4.10.22 or later, which contains the fix.
- Identify applications that register a ResourceBundleMessageSource bean and prioritize them for patching.
- Deploy rate limiting and WAF protections in front of exposed Micronaut services pending the upgrade.
Patch Information
The vulnerability is fixed in Micronaut Framework 4.10.22. Review the GitHub Security Advisory GHSA-3rfq-4wpf-qqw3 for upgrade guidance and release notes.
Workarounds
- Restrict or normalize the Accept-Language header at an upstream proxy or WAF, allowing only a finite set of supported locales.
- Avoid serving HTML error responses from endpoints that use ResourceBundleMessageSource, or replace it with a custom message source that bounds its cache.
- Apply per-client rate limiting to reduce the rate at which unique locale values can be submitted.
# Example NGINX configuration to constrain Accept-Language values
map $http_accept_language $safe_lang {
default "en-US";
"~*^(en|fr|de|es|ja)" $http_accept_language;
}
server {
location / {
proxy_set_header Accept-Language $safe_lang;
proxy_pass http://micronaut_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
