SB20260505124 - Multiple vulnerabilities in Netty
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2026-44248)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in MqttDecoder when parsing MQTT 5 header Properties sections. A remote attacker can send a specially crafted MQTT message with an enormous Properties section to cause a denial of service.
The issue can lead to high CPU and memory usage because the Properties section is parsed and buffered before message size limits are applied, and repeated re-parsing occurs due to ReplayingDecoder behavior.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42584)
The vulnerability allows a remote attacker to disrupt HTTP parsing integrity and availability on the connection.
The vulnerability exists due to inconsistent interpretation of HTTP responses in HttpClientCodec when processing pipelined HTTP/1.1 responses that include a 1xx response before a GET response body and a subsequent HEAD response. A remote attacker can send a specially crafted sequence of HTTP responses to disrupt HTTP parsing integrity and availability on the connection.
Exploitation requires HTTP/1.1 pipelining, a HEAD request in the pipeline, and a server response sequence that includes a 1xx response.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42583)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in io.netty.handler.codec.compression.Lz4FrameDecoder#decode when processing crafted LZ4 frames. A remote attacker can send a specially crafted compressed frame header and payload to cause a denial of service.
On the compressed path, header fields are trusted for sizing, allowing a small request to force allocation of a much larger ByteBuf.
4) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-42582)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral when decoding HTTP/3 QPACK literal header fields. A remote attacker can send a specially crafted HTTP/3 HEADERS frame to cause a denial of service.
The issue occurs in the non-Huffman decoding branch before the claimed literal length is verified against the available bytes in the compressed field section.
5) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42579)
The vulnerability allows a remote attacker to bypass domain validation and poison DNS caches.
The vulnerability exists due to improper input validation in io.netty.handler.codec.dns.DnsCodecUtil encodeDomainName() when encoding user-influenced domain names. A remote attacker can supply a crafted domain name containing null bytes, overlength labels, or empty labels to bypass domain validation and poison DNS caches.
The issue affects the encoder path and relies on applications using user-influenced hostnames to construct DNS queries.
6) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-42577)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to missing release of resource after effective lifetime in the Netty epoll transport when processing a TCP connection that receives a RST after being half-closed. A remote attacker can send a FIN followed by a RST to cause a denial of service.
Exploitation requires ALLOW_HALF_CLOSURE to be enabled or the connection to enter a half-closed state via the HTTP codec.
7) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.
Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.
8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42580)
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize when parsing chunked HTTP requests. A remote attacker can send a specially crafted chunked request to inject arbitrary HTTP requests.
9) HTTP response splitting (CVE-ID: CVE-2026-42578)
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into CONNECT proxy requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in io.netty.handler.proxy.HttpProxyHandler newInitialMessage() when handling user-influenced outbound headers. A remote attacker can supply crafted header values containing CRLF sequences to inject arbitrary HTTP headers into CONNECT proxy requests.
Exploitation requires an application to use HttpProxyHandler with user-influenced outboundHeaders without performing its own CRLF sanitization.
10) CRLF injection (CVE-ID: CVE-2026-42586)
The vulnerability allows a remote attacker to inject Redis commands or poison Redis responses.
The vulnerability exists due to improper neutralization of CRLF sequences in io.netty.handler.codec.redis.RedisEncoder when encoding user-controlled Redis message content. A remote attacker can supply crafted content containing CRLF characters to inject Redis commands or poison Redis responses.
The issue affects inline command mode and simple string or error response types, while RESP array format with binary-safe length-prefixed encoding is not affected.
11) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42581)
The vulnerability allows a remote attacker to perform request smuggling.
The vulnerability exists due to improper input validation in HttpObjectDecoder when processing HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. A remote attacker can send a specially crafted HTTP/1.0 request to perform request smuggling.
Exploitation requires Netty to be deployed behind a downstream proxy or handler that trusts Content-Length over Transfer-Encoding.
12) Resource exhaustion (CVE-ID: CVE-2026-42587)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.
The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.
13) CRLF injection (CVE-ID: CVE-2026-41417)
The vulnerability allows a remote attacker to inject additional HTTP or RTSP requests.
The vulnerability exists due to improper neutralization of CRLF sequences in DefaultHttpRequest.setUri() and DefaultFullHttpRequest.setUri() when encoding attacker-controlled URIs into request lines through HttpRequestEncoder or RtspEncoder. A remote attacker can supply a specially crafted URI containing CRLF sequences to inject additional HTTP or RTSP requests.
Exploitation requires an application to create the request object first, later modify it through setUri(), and then serialize it with HttpRequestEncoder or RtspEncoder.
Remediation
Install update from vendor's website.
References
- https://github.com/netty/netty/security/advisories/GHSA-jfg9-48mv-9qgx
- https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3
- https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6
- https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw
- https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm
- https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p
- https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d
- https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv
- https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723
- https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr
- https://github.com/advisories/GHSA-45q3-82m4-75jr
- https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7
- https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9
- https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv
- https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv