PatchSiren cyber security CVE debrief
CVE-2026-44248 Netty CVE debrief
CVE-2026-44248 is a medium-severity uncontrolled resource consumption vulnerability in Netty's MQTT 5 decoder. The flaw exists because the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method executes before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check, allowing decodeProperties() to process arbitrarily large Properties sections without limits. Because MqttDecoder extends ReplayingDecoder, Netty repeatedly re-parses these oversized Properties sections and buffers bytes in memory until parsing completes, causing excessive CPU and memory consumption. The vulnerability affects Netty versions prior to 4.1.133.Final and 4.2.0 through 4.2.12.Final. This issue was published on May 13, 2026 and last modified on May 18, 2026. No known exploitation in ransomware campaigns has been reported.
- Vendor
- Netty
- Product
- Netty
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Organizations operating Netty-based MQTT brokers or clients handling untrusted MQTT 5 traffic, particularly those in IoT platforms, messaging infrastructure, and real-time data streaming services where Netty serves as the underlying network framework
Technical summary
The vulnerability stems from incorrect ordering of validation checks in Netty's MqttDecoder. The decodeVariableHeader() method, which triggers decodeProperties() for MQTT 5 header Properties, executes prior to the maxBytesInMessage size validation. This architectural flaw in the ReplayingDecoder-based implementation causes unbounded buffering and repeated re-parsing of oversized Properties sections. Attackers can exploit this by sending crafted MQTT 5 messages with extremely large Properties sections, triggering denial-of-service conditions through resource exhaustion. The fix in 4.1.133.Final and 4.2.13.Final restructures the validation logic to enforce size limits before property parsing begins.
Defensive priority
medium
Recommended defensive actions
- Upgrade Netty to version 4.1.133.Final or 4.2.13.Final or later to remediate this vulnerability
- If immediate patching is not feasible, implement network-level controls to restrict untrusted MQTT traffic to affected Netty-based services
- Monitor resource utilization (CPU and memory) on systems running Netty MQTT handlers for anomalous consumption patterns
- Review application logs for unusually large MQTT message headers that may indicate exploitation attempts
- Validate that any custom MqttDecoder implementations apply appropriate size limits before property parsing
Evidence notes
The vulnerability description and affected version ranges are derived from the official CVE record and NVD entry. The technical details regarding decodeVariableHeader(), decodeProperties(), and ReplayingDecoder behavior are sourced directly from the CVE description. CVSS 3.1 score of 5.3 (MEDIUM) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L confirms network-based availability impact without confidentiality or integrity compromise. CWE-400 (Uncontrolled Resource Consumption) is the assigned weakness classification.
Official resources
-
CVE-2026-44248 CVE record
CVE.org
-
CVE-2026-44248 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-13T19:17:27.143Z