Main Vulnerability Database Vulnerabilities #VU133440

Memory leak in Netty - CVE-2026-48059

Published: June 8, 2026

Vulnerability identifier: #VU133440

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-48059

CWE-ID: CWE-401

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper memory management in the HAProxy PROXY protocol v2 codec when parsing syntactically valid headers containing nested PP2_TYPE_SSL TLVs. A remote attacker can send a specially crafted header to cause a denial of service.

The issue occurs on the successful parse path without throwing an exception, and the underlying pooled cumulation buffer remains pinned even if the application releases the HAProxyMessage normally.

How to mitigate CVE-2026-48059

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j

Memory leak in Netty - CVE-2026-48059

Detailed vulnerability description

How to mitigate CVE-2026-48059

Sources

Please verify you're human