CVE-2026-42583 Netty CVE debrief

Who should care

Organizations running Netty-based applications with LZ4 compression enabled, particularly those exposed to untrusted network traffic. This includes API gateways, proxy services, messaging systems, and any custom network applications built on Netty that may process LZ4-compressed data from external sources.

Technical summary

The Lz4FrameDecoder in Netty versions before 4.1.133.Final and 4.2.13.Final performs insufficient validation of the decompressedLength field in LZ4 frame headers. This field is a 32-bit unsigned integer that can specify up to approximately 32 MB per block. The decoder allocates a ByteBuf of this size immediately upon parsing the header, before any decompression occurs. An attacker can craft a minimal 21-byte LZ4 frame header (22 bytes if compressedLength equals 1) with a large decompressedLength value to force excessive memory allocation. This represents an asymmetric resource consumption attack where minimal attacker input causes disproportionate server resource exhaustion. The vulnerability is remotely exploitable without authentication and requires no user interaction.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Netty to 4.1.133.Final or 4.2.13.Final or later
• If immediate patching is not possible, disable or restrict LZ4 compression frame handling in untrusted network contexts
• Monitor for unusual memory allocation patterns in applications using Netty's LZ4 codec
• Review network exposure of services using Netty's Lz4FrameDecoder, particularly those accessible from untrusted networks

Evidence notes

CVE published 2026-05-13; NVD entry modified 2026-05-18. Vendor advisory confirms exploitability and fixed versions. CPE criteria specify affected version ranges: all versions below 4.1.133.Final, and 4.2.x versions below 4.2.13.Final.

Official resources