PatchSiren cyber security CVE debrief
CVE-2026-42587 Netty CVE debrief
Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener fail to enforce the maxAllocation decompression limit for Brotli (br), zstd, and snappy encodings, allowing attackers to bypass memory protections by using alternative Content-Encoding headers. This enables unbounded memory allocation leading to out-of-memory denial of service. The vulnerability affects Netty versions prior to 4.1.133.Final and 4.2.13.Final.
- Vendor
- Netty
- Product
- Netty
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Organizations running Netty-based applications that handle HTTP request decompression, particularly those exposed to untrusted network traffic or operating with memory-constrained environments. This includes users of Netty directly as well as frameworks built on Netty such as Spring WebFlux, Vert.x, and various microservice gateways.
Technical summary
The vulnerability exists in Netty's decompression handlers where the maxAllocation parameter, intended to prevent decompression bomb attacks, is not propagated to Brotli, zstd, and snappy decoders. While gzip and deflate encodings properly respect this limit through ZlibDecoder, alternative encodings bypass the safeguard entirely. This affects both HTTP/1.1 (HttpContentDecompressor) and HTTP/2 (DelegatingDecompressorFrameListener) code paths. An attacker can exploit this by crafting compressed payloads with Content-Encoding: br (or zstd/snappy) that expand to sizes far exceeding configured limits, causing unbounded memory allocation and service disruption through out-of-memory conditions.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Netty to version 4.1.133.Final or 4.2.13.Final or later, which enforce maxAllocation limits across all supported compression encodings.
- If immediate patching is not feasible, implement network-level controls to inspect and potentially block or rate-limit requests with Content-Encoding: br, zstd, or snappy headers until the application layer can be remed.
- Review application configurations to ensure maxAllocation parameters are explicitly set to appropriate values for your deployment's memory constraints.
- Monitor for anomalous memory consumption patterns in services handling decompressed HTTP content, particularly those exposed to untrusted network traffic.
- For HTTP/2 deployments, verify that DelegatingDecompressorFrameListener configurations are updated alongside HttpContentDecompressor changes.
Evidence notes
The CVE description and NVD record confirm that the maxAllocation parameter is correctly enforced for gzip and deflate via ZlibDecoder but silently ignored for br, zstd, and snappy encodings. The GitHub Security Advisory is tagged as containing exploit details and mitigation guidance. CVSS 3.1 score of 7.5 (HIGH) reflects network attack vector, low complexity, no privileges required, and high availability impact.
Official resources
-
CVE-2026-42587 CVE record
CVE.org
-
CVE-2026-42587 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-13