CVE-2026-48059
Netty is a network application framework for development of protocol servers and clients
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CWE
- CWE-401
Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-48043 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-48006 — Netty is a network application framework for development of protocol servers and clients
- CVE-2026-20746 — Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap w...
- CVE-2026-53464 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.0 MEDIUM)
- CVE-2026-46679 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)