PatchSiren cyber security CVE debrief
CVE-2026-44893 netty CVE debrief
CVE-2026-44893 is a HIGH severity vulnerability in Netty's netty-codec-haproxy component. When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() is susceptible to IndexOutOfBoundsException if the attacker sets the TLV length below 5. This occurs because `header.retainedSlice(header.readerIndex(), length)` is called before reading the 1-byte client field and 4-byte verify field. The exception propagates as HAProxyMessageDecoder only catches HAProxyProtocolException around this call. Consequently, the retained slice on the pooled cumulation buffer is never released. This issue is patched in versions 4.1.135.Final and 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty's netty-codec-haproxy component, particularly those using versions prior to 4.1.135.Final and 4.2.15.Final, should update to the patched versions to mitigate this vulnerability.
Technical summary
The vulnerability arises from improper handling of TLV length in netty-codec-haproxy. Specifically, HAProxyMessage.readNextTLV() does not validate the length before accessing the buffer, leading to IndexOutOfBoundsException when the length is less than 5. This issue allows for potential denial-of-service (DoS) attacks.
Defensive priority
HIGH
Recommended defensive actions
- Update to Netty version 4.1.135.Final or 4.2.15.Final
- Review and adjust TLV length validation in custom Netty codec implementations
Evidence notes
CVE-2026-44893 has a CVSS score of 7.5 and is classified as HIGH severity. The vulnerability is addressed in Netty versions 4.1.135.Final and 4.2.15.Final.
Official resources
CVE-2026-44893 was published on 2026-06-12T15:16:26.103Z and modified on 2026-06-12T15:55:06.377Z.