Skip to main content

Netty EUVDEUVD-2026-36457

| CVE-2026-48059 HIGH
Memory Leak (CWE-401)
2026-06-11 https://github.com/netty/netty GHSA-h2qv-fj59-j46j
8.7
CVSS 4.0 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated TCP bytes to a PROXY-protocol listener trigger an unbounded pooled-buffer leak, yielding availability-only impact (A:H) with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 12, 2026 - 16:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 16:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jun 12, 2026 - 16:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
Jun 11, 2026 - 20:50 vuln.today
Analysis Generated
Jun 11, 2026 - 20:50 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 75 maven packages depend on io.netty:netty-codec-haproxy (3 direct, 72 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Impact

The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path - no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.

AnalysisAI

Memory exhaustion in Netty's HAProxy PROXY protocol v2 codec (netty-codec-haproxy) allows remote unauthenticated attackers to permanently pin pooled ByteBuf memory by sending PROXY v2 headers containing nested PP2_TYPE_SSL TLVs at depth two or greater. Each malicious connection silently leaks native or heap memory on the successful parse path, enabling a sustained denial-of-service against any Netty-based server that terminates PROXY protocol traffic. No public exploit identified at time of analysis, and EPSS is low (0.04%), but the vendor advisory and fixed releases (4.1.135.Final, 4.2.15.Final) are published.

Technical ContextAI

Netty is a widely deployed Java NIO framework used by countless servers, proxies, and microservice gateways. The netty-codec-haproxy module implements HAProxy's PROXY protocol v2, a binary format that carries client metadata in type-length-value (TLV) records, including PP2_TYPE_SSL which itself contains nested sub-TLVs. The flaw is a CWE-401 missing release of memory after effective lifetime: when sub-TLVs of type PP2_TYPE_SSL appear nested at depth two or greater, the decoder parses them successfully, emits the HAProxyMessage downstream, and removes itself from the pipeline, but a reference to the pooled (potentially direct, off-heap) cumulation ByteBuf is never released. Affected coordinates are pkg:maven/io.netty:netty-codec-haproxy across both the 4.1.x and 4.2.x branches.

RemediationAI

Vendor-released patch: upgrade io.netty:netty-codec-haproxy to 4.1.135.Final on the 4.1.x branch (https://github.com/netty/netty/releases/tag/netty-4.1.135.Final) or 4.2.15.Final on the 4.2.x branch (https://github.com/netty/netty/releases/tag/netty-4.2.15.Final); both releases also address several other Netty CVEs in the same coordinated batch so a single upgrade closes multiple issues. As a compensating control if upgrade is blocked, remove HAProxyMessageDecoder from pipelines that do not strictly require PROXY protocol termination, or terminate PROXY v2 at a non-Netty front-end (HAProxy, Envoy, AWS NLB) so only sanitised TCP reaches Netty - accepting the side effect that original client IP/TLS metadata propagation must then be reconstructed via headers. If Netty must remain the PROXY terminator, restrict the listener to mutually authenticated upstream load balancers via network ACLs so that arbitrary clients cannot inject crafted PROXY v2 headers; consult the GHSA-h2qv-fj59-j46j advisory for vendor guidance.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-36457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy