CVE-2026-44242: CWE-400: Uncontrolled Resource Consumption in micronaut-projects micronaut-core
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can exhaust heap memory by sending requests with large numbers of unique Accept-Language values, each causing a new entry in the unbounded bundleCache. This vulnerability is fixed in 4.10.22.
AI Analysis
Technical Summary
The Micronaut Framework's bundleCache is keyed by (Locale, baseName), where the locale is taken from the HTTP Accept-Language header. Before version 4.10.22, this cache is unbounded, allowing an attacker to cause uncontrolled resource consumption by sending requests with numerous unique Accept-Language values. This leads to heap memory exhaustion in affected applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption).
Potential Impact
An unauthenticated attacker can cause a denial of service by exhausting heap memory on affected Micronaut applications through resource exhaustion. There is no impact on confidentiality or integrity. The CVSS score is 3.7 (low severity), reflecting the limited impact and the requirement for many unique requests to trigger the condition.
Mitigation Recommendations
This vulnerability is fixed in Micronaut Framework version 4.10.22. Users should upgrade to version 4.10.22 or later to remediate this issue. No official remediation level is provided in the advisory, but the fix is available in the updated version. Until upgraded, consider limiting the number of unique Accept-Language headers processed or implementing rate limiting to reduce the risk of resource exhaustion.
CVE-2026-44242: CWE-400: Uncontrolled Resource Consumption in micronaut-projects micronaut-core
Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can exhaust heap memory by sending requests with large numbers of unique Accept-Language values, each causing a new entry in the unbounded bundleCache. This vulnerability is fixed in 4.10.22.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Micronaut Framework's bundleCache is keyed by (Locale, baseName), where the locale is taken from the HTTP Accept-Language header. Before version 4.10.22, this cache is unbounded, allowing an attacker to cause uncontrolled resource consumption by sending requests with numerous unique Accept-Language values. This leads to heap memory exhaustion in affected applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption).
Potential Impact
An unauthenticated attacker can cause a denial of service by exhausting heap memory on affected Micronaut applications through resource exhaustion. There is no impact on confidentiality or integrity. The CVSS score is 3.7 (low severity), reflecting the limited impact and the requirement for many unique requests to trigger the condition.
Mitigation Recommendations
This vulnerability is fixed in Micronaut Framework version 4.10.22. Users should upgrade to version 4.10.22 or later to remediate this issue. No official remediation level is provided in the advisory, but the fix is available in the updated version. Until upgraded, consider limiting the number of unique Accept-Language headers processed or implementing rate limiting to reduce the risk of resource exhaustion.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:42:40.520Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a03a0decbff5d86101d5c86
Added to database: 5/12/2026, 9:51:26 PM
Last enriched: 5/12/2026, 10:07:52 PM
Last updated: 5/13/2026, 4:51:22 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.