Skip to main content

Netty EUVDEUVD-2026-36432

| CVE-2026-44893 HIGH
Improper Check or Handling of Exceptional Conditions (CWE-703)
2026-06-08 https://github.com/netty/netty GHSA-cc37-9q2j-3hfv
7.5
CVSS 3.1 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 19:52 vuln.today
Analysis Generated
Jun 08, 2026 - 19:52 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 75 maven packages depend on io.netty:netty-codec-haproxy (3 direct, 72 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls header.retainedSlice(header.readerIndex(), length) and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released.

AnalysisAI

Memory leak in Netty's HAProxy codec (io.netty:netty-codec-haproxy) allows remote unauthenticated attackers to exhaust server memory by sending PROXY protocol v2 frames containing a malformed PP2_TYPE_SSL TLV with a length below 5 bytes. The flaw causes a retained slice on the pooled cumulation buffer to never be released when an IndexOutOfBoundsException escapes the decoder's narrow exception handler. No public exploit identified at time of analysis, but the issue is trivially reproducible from the advisory's technical detail and affects any service that accepts PROXY v2 input from untrusted peers.

Technical ContextAI

Netty is a widely deployed asynchronous event-driven network application framework for Java; the affected module netty-codec-haproxy implements the HAProxy PROXY protocol (v1/v2) commonly used by load balancers and reverse proxies to forward original client connection metadata. The root cause is a resource-management ordering bug in HAProxyMessage.readNextTLV() when processing a PP2_TYPE_SSL TLV: the code performs header.retainedSlice(header.readerIndex(), length) - incrementing the reference count on a pooled ByteBuf slice - before reading the mandatory 1-byte client field and 4-byte verify field. If the supplied TLV length is less than 5, the subsequent readByte/readInt throws IndexOutOfBoundsException, but HAProxyMessageDecoder only catches HAProxyProtocolException, so the IOOBE propagates up the pipeline without releasing the retained slice. This is a classic CWE-772 (Missing Release of Resource after Effective Lifetime) / CWE-401-style memory leak on Netty's pooled buffer allocator, where leaked retained slices pin chunks in the pool and progressively starve the JVM of direct/heap memory.

RemediationAI

Upgrade netty-codec-haproxy to vendor-released patch 4.2.15.Final (for the 4.2.x branch, release notes at https://github.com/netty/netty/releases/tag/netty-4.2.15.Final) or 4.1.135.Final (for the 4.1.x branch, https://github.com/netty/netty/releases/tag/netty-4.1.135.Final), as documented in advisory https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv; transitive consumers should bump their Netty BOM/parent or override the netty-codec-haproxy dependency version explicitly. If immediate patching is not possible, restrict the PROXY protocol listener so it only accepts connections from trusted upstream load balancers via network ACLs or firewall rules (side effect: requires accurate inventory of upstream peers and breaks if peer IPs change), or disable HAProxy PROXY v2 ingestion entirely where the application can fall back to plain TCP plus X-Forwarded-For (side effect: loses original client TLS metadata such as SSL verify state and SNI). Monitoring JVM direct-memory and pooled-ByteBuf metrics (e.g., PooledByteBufAllocator.DEFAULT.metric()) for steady growth can provide early detection while a rollout is in progress.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-36432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy