Skip to main content

Netty CVE-2026-44249

HIGH
Improper Access Control (CWE-284)
2026-06-08 https://github.com/netty/netty GHSA-3qp7-7mw8-wx86
8.1
CVSS 3.1 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 19:20 vuln.today
Analysis Generated
Jun 08, 2026 - 19:20 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 686 maven packages depend on io.netty:netty-handler (317 direct, 369 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Summary

An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

Details

io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress) method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.

Impact

Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.

AnalysisAI

IPv6 access control bypass in Netty's netty-handler component (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote attackers to circumvent IpSubnetFilter restrictions due to a faulty bitwise masking operation in IpSubnetFilterRule.compareTo(). Because the comparator ANDs the incoming IP against the networkAddress instead of the subnetMask, valid public IPv6 addresses outside the configured allowlist/blocklist can pass filter checks. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Technical ContextAI

Netty is a widely deployed asynchronous event-driven network application framework used by countless Java-based servers, proxies, and microservice runtimes (Spring WebFlux/Reactor, gRPC-Java, Elasticsearch, Cassandra clients, etc.). The defective code lives in io.netty.handler.ipfilter.IpSubnetFilterRule, which implements IP allow/deny lists for connections. CWE-284 (Improper Access Control) applies here because the comparator method intended to compute incomingAddress & subnetMask instead computes incomingAddress & networkAddress, producing incorrect range membership decisions specifically for IPv6 rules. The affected Maven coordinates are pkg:maven/io.netty:netty-handler in both the 4.1.x and 4.2.x branches.

RemediationAI

Vendor-released patch: upgrade io.netty:netty-handler to 4.2.15.Final (https://github.com/netty/netty/releases/tag/netty-4.2.15.Final) on the 4.2.x branch or 4.1.135.Final (https://github.com/netty/netty/releases/tag/netty-4.1.135.Final) on the 4.1.x branch, per GHSA-3qp7-7mw8-wx86. For deployments that cannot upgrade immediately, do not rely on IpSubnetFilter for IPv6 enforcement; enforce IPv6 restrictions one layer up (firewall, reverse proxy such as nginx/HAProxy, cloud security group, or service mesh policy) - the trade-off is duplicated rule management and potential drift between Netty and perimeter ACLs. Alternatively, restrict listeners to IPv4 only (sacrificing IPv6 connectivity) or replace IpSubnetFilter usage with an authenticated identity check, accepting added latency and code change.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-44249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy