CVE-2026-44579: Next.js: Denial of Service via connection exhaustion in applications using Cache Components
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
Security readout for executives and security teams
Plain-English summary
Attackers can send specially crafted POST requests to Next.js applications that use the Cache Components feature and cause the server to hang connections until legitimate users can no longer reach the site. The fault is availability-only, but a small volume of traffic can effectively knock a customer-facing web app offline until the runtime is patched or restarted.
Executive priority
Patch within the standard high-severity SLA. This is an availability issue, not data exposure, but a single low-effort attacker can degrade customer-facing Next.js sites. Prioritize public, revenue-generating, or SLA-bound applications first; internal or authenticated apps can follow the normal cycle.
Technical view
Next.js versions 15.0.0 to 15.5.15 and 16.0.0 to 16.2.4 mishandle request bodies for server actions when Partial Prerendering with Cache Components is enabled, producing a deadlock (CWE-833) that leaves sockets open and exhausts file descriptors and worker capacity (CWE-770). CVSS 3.1 is 7.5 (AV:N/AC:L/PR:N/UI:N/A:H). Fixed in 15.5.16 and 16.2.5 per the vendor advisory GHSA-mg66-mrh9-m8jx.
Likely exposure
Exposure is limited to Next.js apps on 15.0.0–15.5.15 or 16.0.0–16.2.4 that enable Partial Prerendering via Cache Components and accept unauthenticated POSTs to a server action. Static-only deployments, older Next.js releases without Cache Components, and apps that gate server actions behind auth or WAF rules see less risk.
Exploitation context
No public exploit code, in-the-wild activity, or CISA KEV listing is cited in the bundle. The advisory describes crafted POST requests to a server action; attack complexity is low and no authentication is required per the CVSS vector. Treat as network-reachable denial of service pending vendor or Red Hat updates.
Researcher notes
Root cause per the advisory is a request-body handling deadlock in server action processing when Cache Components is active, mapping to CWE-833 (deadlock) and CWE-770 (unbounded resource allocation). Reproduction requires PPR/Cache Components enabled and a server action reachable via POST. Watch for downstream Node.js base image rebuilds and OpenShift/Red Hat container updates tied to RHSA-2026:37272 and RHSA-2026:34608.
Mitigation direction
Upgrade Next.js to 15.5.16 or 16.2.5 (or later) per GHSA-mg66-mrh9-m8jx.
Apply Red Hat errata RHSA-2026:37272 and RHSA-2026:34608 on affected Red Hat platforms.
If patching is delayed, disable Cache Components / Partial Prerendering on exposed routes.
Front server actions with a WAF or rate-limit rule on unauthenticated POST endpoints.
Tune reverse-proxy connection, body, and idle timeouts to shed stuck sockets.
Monitor file descriptor and worker saturation and configure automated restarts on threshold breach.
Validation and detection
Inventory Next.js versions across repos, containers, and Vercel/Node deployments.
Flag apps on 15.0.0–15.5.15 or 16.0.0–16.2.4 that enable Cache Components or PPR.
Confirm patched builds report 15.5.16 or 16.2.5 in runtime and CI artifacts.
Load-test server actions in staging to confirm connections release under sustained POSTs.
Review WAF, CDN, and proxy logs for anomalous long-lived POSTs to server-action routes.
Track vendor advisory GHSA-mg66-mrh9-m8jx and Red Hat CSAF VEX for status changes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-770: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-770 · source CWE mapping
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.