PatchSiren cyber security CVE debrief
CVE-2026-45416 netty CVE debrief
CVE-2026-45416 is a vulnerability in the Netty network application framework. The SslClientHelloHandler.decode() method reads the 24-bit TLS handshake length and allocates a buffer of that size. However, the guard against large handshake lengths is disabled when using certain constructors, such as SniHandler(Mapping), SniHandler(AsyncMapping), and AbstractSniHandler(). This allows for a large allocation of memory, potentially leading to a denial-of-service (DoS) attack. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the SslClientHelloHandler.decode() method allocating a buffer of size handshakeLength, which can be large. The guard against large handshake lengths is disabled when using certain constructors. This can lead to a large allocation of memory, potentially causing a DoS attack.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Use a different constructor for SniHandler/AbstractSniHandler that sets maxClientHelloLength and handshakeTimeoutMillis.
Evidence notes
The CVE record [cve-org] provides details on the vulnerability. The NVD entry [nvd] offers additional information. References [ref-4], [ref-5], and [ref-6] provide patches and advisories from the vendor.
Official resources
CVE-2026-45416 was published on 2026-06-12T15:16:26.940Z and modified on 2026-06-12T15:55:06.377Z.