EXECUTIVE SUMMARY:
CVE-2026-44241 with a CVSS score of 7.5 is a vulnerability in the Micronaut context package, which allows for memory exhaustion via the Accept-Language header. The vulnerability arises from the unbounded caching of DateTimeFormatter instances in the TimeConverterRegistrar class, where the cache key is derived from the HTTP Accept-Language header, allowing an attacker to generate an unlimited number of unique cache keys and grow the cache until heap memory is exhausted, causing the JVM to crash. An unauthenticated attacker can exploit this vulnerability by sending requests with novel locale tags in the Accept-Language header, triggering the insertion of new DateTimeFormatter instances into the unbounded cache. As a result, an attacker gains the ability to cause a denial-of-service (DoS) condition, leading to business impact and consequences such as service downtime, reputational damage, and potential financial losses. No prerequisites or conditions are required for exploitation, as the vulnerability can be triggered by sending a malicious HTTP request with a crafted Accept-Language header.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44241 with a CVSS score of 7.5 is a vulnerability in the Micronaut context package, which allows for memory exhaustion via the Accept-Language header. The vulnerability arises from the unbounded caching of DateTimeFormatter instances in the TimeConverterRegistrar class, where the cache key is derived from the HTTP Accept-Language header, allowing an attacker to generate an unlimited number of unique cache keys and grow the cache until heap memory is exhausted, causing the JVM to crash. An unauthenticated attacker can exploit this vulnerability by sending requests with novel locale tags in the Accept-Language header, triggering the insertion of new DateTimeFormatter instances into the unbounded cache. As a result, an attacker gains the ability to cause a denial-of-service (DoS) condition, leading to business impact and consequences such as service downtime, reputational damage, and potential financial losses. No prerequisites or conditions are required for exploitation, as the vulnerability can be triggered by sending a malicious HTTP request with a crafted Accept-Language header.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update io.micronaut:micronaut-context to below version: https://github.com/micronaut-projects/micronaut-core/releases
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8hjv-92q9-g4xj