CVE-2026-44241

Source
https://cve.org/CVERecord?id=CVE-2026-44241
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44241.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44241
Aliases
Published
2026-05-12T21:20:45.249Z
Modified
2026-07-11T04:04:05.760951258Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header
Details

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, 3.10.6, and 3.8.14, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This vulnerability is fixed in 4.10.22, 3.10.6, and 3.8.14.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44241.json"
}
References

Affected packages

Git / github.com/micronaut-projects/micronaut-core

Affected ranges

Type
GIT
Repo
https://github.com/micronaut-projects/micronaut-core
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.3.0"
        },
        {
            "fixed": "4.10.22"
        },
        {
            "introduced": "3.10.0"
        },
        {
            "fixed": "3.10.6"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.8.14"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.0.0
v1.0.0.M1
v1.0.0.M2
v1.0.0.M3
v1.0.0.M4
v1.0.0.RC2
v1.0.0.RC3
v1.1.0.M1
v1.1.0.M2
v1.1.0.RC1
v1.1.0.RC2
v1.2.0
v1.2.0.RC1
v1.2.0.RC2
v1.3.0
v1.3.0.M1
v1.3.0.M2
v1.3.0.RC1
v1.3.0.TEST
v2.*
v2.0.0
v2.0.0.RC1
v2.0.0.RC2
v2.0.1
v3.*
v3.0.0
v3.0.0-M2
v3.0.0-M4
v3.0.0-M5
v3.0.0-RC1
v3.1.0
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.2.0
v3.3.0-M1
v3.4.0
v3.5.0
v3.6.0
v3.7.0
v3.8.0
v3.8.1
v3.8.10
v3.8.11
v3.8.12
v3.8.13
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.8.7
v3.8.8
v3.8.9
v4.*
v4.10.0
v4.10.1
v4.10.10
v4.10.11
v4.10.12
v4.10.13
v4.10.14
v4.10.15
v4.10.16
v4.10.17
v4.10.18
v4.10.19
v4.10.2
v4.10.20
v4.10.21
v4.10.3
v4.10.4
v4.10.5
v4.10.6
v4.10.7
v4.10.8
v4.10.9
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44241.json"