CVE-2026-44242

Source
https://cve.org/CVERecord?id=CVE-2026-44242
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44242.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44242
Aliases
Published
2026-05-12T21:17:52.609Z
Modified
2026-07-08T08:13:27.322849148Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header
Details

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can exhaust heap memory by sending requests with large numbers of unique Accept-Language values, each causing a new entry in the unbounded bundleCache. This vulnerability is fixed in 4.10.22.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44242.json",
    "cwe_ids": [
        "CWE-400"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/micronaut-projects/micronaut-core

Affected ranges

Type
GIT
Repo
https://github.com/micronaut-projects/micronaut-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.10.22"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.0.M1
v1.0.0.M2
v1.0.0.M3
v1.0.0.M4
v1.0.0.RC2
v1.0.0.RC3
v1.1.0.M1
v1.1.0.M2
v1.1.0.RC1
v1.1.0.RC2
v1.2.0
v1.2.0.RC1
v1.2.0.RC2
v1.3.0
v1.3.0.M1
v1.3.0.M2
v1.3.0.RC1
v1.3.0.TEST
v2.*
v2.0.0
v2.0.0.RC1
v2.0.0.RC2
v2.0.1
v3.*
v3.0.0
v3.0.0-M2
v3.0.0-M4
v3.0.0-M5
v3.0.0-RC1
v3.1.0
v3.2.0
v4.*
v4.0.0-M1
v4.0.0-M2
v4.0.0-M3
v4.0.0-M4
v4.0.0-M5
v4.0.0-M6
v4.0.0-M7
v4.0.0-RC1
v4.1.0
v4.10.0
v4.10.1
v4.10.10
v4.10.11
v4.10.12
v4.10.13
v4.10.14
v4.10.15
v4.10.16
v4.10.17
v4.10.18
v4.10.19
v4.10.2
v4.10.20
v4.10.21
v4.10.3
v4.10.4
v4.10.5
v4.10.6
v4.10.7
v4.10.8
v4.10.9
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44242.json"