Skip to main content

Netty CVE-2026-44248

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-07 https://github.com/netty/netty GHSA-jfg9-48mv-9qgx
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity packet triggers unbounded parsing with availability-only impact; no confidentiality or integrity effect and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 04:24 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:23 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:23 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:20 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Source Code Evidence Fetched
May 07, 2026 - 05:30 vuln.today
Analysis Generated
May 07, 2026 - 05:30 vuln.today
CVE Published
May 07, 2026 - 05:14 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on io.netty:netty-codec-mqtt (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.Alpha1.

DescriptionNVD

Impact

The MQTT 5 header Properties section is parsed and buffered _before_ any message size limit is applied.

Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded.

Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion.

This can cause high resource usage in both CPU and memory.

Resources

ANT-2026-09608 https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901027

AnalysisAI

Memory and CPU exhaustion in the Netty MQTT codec (io.netty:netty-codec-mqtt) lets remote unauthenticated attackers send oversized MQTT 5 header Properties that are decoded and buffered before the message size limit is enforced. Because MqttDecoder extends ReplayingDecoder, the enormous Properties section is repeatedly re-parsed and re-buffered until parsing completes, driving an application-availability denial of service. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%), but the flaw is automatable and trivial to trigger against any MQTT 5 broker or client built on Netty.

Technical ContextAI

Netty is a high-performance asynchronous network application framework for the JVM, and netty-codec-mqtt implements the MQTT 3.1.1/5.0 wire protocol. The root cause is CWE-400 (Uncontrolled Resource Consumption): in MqttDecoder, decodeVariableHeader() - which can cascade into decodeProperties() to parse the MQTT 5 Properties field defined in the OASIS MQTT 5.0 spec (section 2.2.2) - runs before the bytesRemainingBeforeVariableHeader > maxBytesInMessage guard. As a result the configured maxBytesInMessage limit never bounds the Properties section. Compounding this, MqttDecoder inherits from ReplayingDecoder, whose model is to replay (re-invoke) the decode method as more bytes arrive, so the entire oversized Properties block is re-decoded and re-accumulated in heap on each replay pass, amplifying both CPU and memory cost.

RemediationAI

Patch available per vendor advisory: upgrade netty-codec-mqtt to the fixed Netty release identified in GHSA-jfg9-48mv-9qgx (https://github.com/netty/netty/security/advisories/GHSA-jfg9-48mv-9qgx); the exact fixed version was not included in the provided data, so confirm it against that advisory and bump the io.netty:netty-codec-mqtt dependency (and any transitive pull-in) accordingly. Until upgraded, compensating controls focus on bounding untrusted input: place the MQTT endpoint behind a network proxy or firewall that caps inbound packet/frame size and connection rate so oversized Properties sections are rejected before reaching the decoder (trade-off: a proxy that does not understand MQTT framing may not reliably size-limit a single logical packet); restrict MQTT listener exposure to trusted networks or require TLS client authentication / network ACLs to remove unauthenticated reachability (trade-off: breaks anonymous or public broker use cases); and constrain JVM heap plus add resource monitoring/auto-restart so a memory spike degrades gracefully rather than crashing silently (trade-off: this mitigates symptoms, not the underlying unbounded parsing). Note that the codec's own maxBytesInMessage setting does NOT mitigate this issue because the Properties section is parsed before that check.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-44248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy