SB2026060813 - Multiple vulnerabilities in Netty

Description

This security bulletin contains information about 22 vulnerabilities.

1) Memory leak (CVE-ID: CVE-2026-48059)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper memory management in the HAProxy PROXY protocol v2 codec when parsing syntactically valid headers containing nested PP2_TYPE_SSL TLVs. A remote attacker can send a specially crafted header to cause a denial of service.

The issue occurs on the successful parse path without throwing an exception, and the underlying pooled cumulation buffer remains pinned even if the application releases the HAProxyMessage normally.

2) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-48043)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a reference-count leak in DelegatingDecompressorFrameListener when processing HTTP/2 frames that cause the flow-controller to throw. A remote attacker can send crafted frames to cause a denial of service.

The issue may exhaust memory and eventually take down the JVM due to an out-of-memory error.

3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-48748)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in io.netty.handler.codec.http3.QpackDecoder#shouldWaitForDynamicTableUpdates when processing HTTP/3 header blocks that reference dynamic table entries the server has not yet received. A remote attacker can send specially crafted HTTP/3 requests to cause a denial of service.

Only servers with QPACK dynamic tables enabled are vulnerable when the blocked streams setting is left at its default value of 0.

4) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-48006)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in RedisArrayAggregator when a Redis pipeline connection closes before a RESP array aggregate completes. A remote attacker can repeatedly open and close connections to cause a denial of service.

The issue leaks pooled direct-memory buffers retained in per-handler state, which can exhaust the shared direct-memory pool and trigger allocation failures across Netty channels in the same process.

5) Insufficient verification of data authenticity (CVE-ID: CVE-2026-47691)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to poison the DNS cache.

The vulnerability exists due to insufficient verification of data authenticity in the DnsResolveContext.AuthoritativeNameServerList handling of NS records when processing DNS responses containing NS records in the AUTHORITY section and A records in the ADDITIONAL section. A remote attacker can provide crafted DNS records to poison the DNS cache.

Exploitation requires control of an authoritative name server for a subdomain, and the poisoned cache can affect future resolutions under the parent domain.

6) Resource exhaustion (CVE-ID: CVE-2026-47244)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the HTTP/2 stream management logic when handling HTTP/2 connections without an explicitly configured concurrent stream limit. A remote attacker can open a large number of streams over a single TCP connection to cause a denial of service.

The issue occurs when the application does not explicitly configure a maximum concurrent streams setting.

7) Resource exhaustion (CVE-ID: CVE-2026-46340)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in SCTP message reassembly in netty-transport-sctp when processing non-complete SCTP message fragments. A remote attacker can send a sequence of tiny fragmented DATA chunks that never set the complete flag to cause a denial of service.

Each stream identifier maintains its own accumulator entry, and there is no limit on fragment depth, total buffered bytes, or the number of stream identifiers tracked.

8) Insufficient verification of data authenticity (CVE-ID: CVE-2026-45674)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to poison the DNS cache.

The vulnerability exists due to insufficient verification of data authenticity in DnsResolveContext buildAliasMap when processing CNAME records in DNS responses. A remote attacker can send a malicious DNS response containing out-of-bailiwick CNAME records to poison the DNS cache.

Any application using Netty's DNS resolver is impacted.

9) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45536)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource shutdown in netty_unix_socket_recvFd when receiving SCM_RIGHTS control messages containing two file descriptors over a unix domain socket. A remote attacker can send a specially crafted message to cause a denial of service.

The issue is reachable via Epoll/KQueue DomainSocketChannel only when the application enables DomainSocketReadMode.FILE_DESCRIPTORS.

10) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-45416)

CWE-ID: CWE-789 - Uncontrolled Memory Allocation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled memory allocation in SslClientHelloHandler.decode() when processing a TLS ClientHello that does not fit in the first record. A remote attacker can send a specially crafted ClientHello with a large handshake length to cause a denial of service.

The issue is exposed by the commonly used SniHandler and AbstractSniHandler constructors because they disable the client hello length guard and do not schedule a handshake timeout.

11) Generation of Predictable Numbers or Identifiers (CVE-ID: CVE-2026-45673)

CWE-ID: CWE-340 - Generation of Predictable Numbers or Identifiers

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to poison the DNS cache.

The vulnerability exists due to generation of predictable numbers or identifiers in the Netty DNS resolver when generating DNS transaction IDs and using the default static UDP source port for DNS queries. A remote attacker can spoof DNS responses to poison the DNS cache.

Successful exploitation may cause downstream applications to connect to malicious IP addresses, enabling traffic interception or machine-in-the-middle attacks.

12) Improper Certificate Validation (CVE-ID: CVE-2026-50010)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper certificate validation in X509TrustManagerWrapper within netty-handler when establishing client TLS connections with a user-supplied plain X509TrustManager. A remote attacker can present a certificate for an unexpected hostname to disclose sensitive information.

The issue occurs because hostname verification is not performed in this configuration, even when HTTPS endpoint identification is expected by default.

13) Insufficient verification of data authenticity (CVE-ID: CVE-2026-44894)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass the QUIC anti-amplification limit and reflect handshake traffic to a spoofed victim.

The vulnerability exists due to improper token validation in NoQuicTokenHandler when handling QUIC Initial packets containing client-supplied token bytes. A remote attacker can send a specially crafted Initial packet with any non-empty token and a spoofed source IP address to bypass the QUIC anti-amplification limit and reflect handshake traffic to a spoofed victim.

The issue occurs when the application uses the default token handler instead of configuring its own token handler.

14) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-44893)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in HAProxyMessage.readNextTLV() when decoding a PP2_TYPE_SSL TLV with an invalid length. A remote attacker can send a specially crafted HAProxy TLV to cause a denial of service.

The issue is triggered when the TLV length is set below 5, causing an IndexOutOfBoundsException to propagate while a retained slice on the pooled cumulation buffer is not released.

15) Resource exhaustion (CVE-ID: CVE-2026-44892)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Http3ConnectionHandler and Http3FrameCodec when processing HTTP/3 header fields without an enforced maximum header size limit. A remote attacker can send an enormous number of headers to cause a denial of service.

The issue occurs when a peer does not explicitly specify HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, causing the implementation to use an unbounded default limit and potentially crash with an OutOfMemoryError.

16) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-50020)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to smuggle HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpObjectDecoder when parsing requests with non-CRLF control characters before the request-line. A remote attacker can send a specially crafted request to smuggle HTTP requests.

The issue can cause request-boundary confusion when a front-end component interprets the prepended bytes differently in pipelined or multiplexed transports.

17) Incorrect Comparison (CVE-ID: CVE-2026-44249)

CWE-ID: CWE-697 - Incorrect Comparison

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass IPv6 subnet access controls.

The vulnerability exists due to incorrect comparison in IpSubnetFilterRule.compareTo() when evaluating IPv6 subnet rules. A remote attacker can use a valid public IP address to bypass IPv6 subnet access controls.

The issue is caused by applying a bitwise AND operation to the configured networkAddress instead of the subnetMask.

18) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to exposure of sensitive information in QUIC stateless reset token generation when observing header-visible connection IDs during source connection ID rotation. A remote attacker can send a spoofed stateless reset packet to cause a denial of service.

The issue occurs when the default HMAC-based connection-ID and stateless-reset-token generators use the same JVM-wide static key, allowing an on-path observer to derive the reset token from QUIC headers without decrypting payload data.

19) Resource exhaustion (CVE-ID: CVE-2026-44890)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in RedisDecoder when processing crafted Redis payloads that omit the required \r\n terminator. A remote attacker can send specially crafted Redis payloads across multiple concurrent connections to cause a denial of service.

Exploitation requires multiple concurrent connections to exhaust the direct memory pool and trigger an OutOfDirectMemoryError.

20) Resource exhaustion (CVE-ID: CVE-2026-44250)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in RedisArrayAggregator when processing deeply nested Redis array headers. A remote attacker can send a specially crafted Redis payload to cause a denial of service.

The issue can lead to memory exhaustion and an OutOfMemoryError in applications that handle untrusted Redis traffic.

21) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in RedisArrayAggregator when processing RESP array headers. A remote attacker can send a specially crafted array header with a large declared element count to cause a denial of service.

The backing array allocation is attempted based on the declared array length before the corresponding child messages are received.

22) Resource exhaustion (CVE-ID: CVE-2026-50560)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of SETTINGS_MAX_HEADER_LIST_SIZE in the netty http/2 codec when processing http/2 requests with a client-supplied maximum header list size setting. A remote attacker can send specially crafted http/2 requests to cause a denial of service.

The issue is similar in effect to the HTTP/2 Rapid Reset attack but has a different on-the-wire signature.

Remediation

Install update from vendor's website.

References

• https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j
• https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j
• https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6
• https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm
• https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85
• https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q
• https://www.rfc-editor.org/rfc/rfc7540.html#section-6.5.2
• https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch
• https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
• https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9
• https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh
• https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78
• https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9
• https://github.com/netty/netty/security/advisories/GHSA-cmm3-54f8-px4j
• https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv
• https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2
• https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c
• https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86
• https://github.com/netty/netty/security/advisories/GHSA-cq4q-cv5g-r8q5
• https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3
• https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2
• https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7
• https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm