CVE-2026-46340 netty CVE debrief

Who should care

Users of Netty, specifically those using netty-transport-sctp, should be aware of this vulnerability and take action to patch their systems.

Technical summary

The vulnerability is caused by the way Netty handles SctpMessage fragments. For each non-complete SctpMessage fragment, the handler wraps the previous accumulator and the new slice into a new CompositeByteBuf every time. This can lead to a deep chain of composites, causing performance issues and potential crashes. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
• Apply patches from the official Netty GitHub releases: [ref-4](https://github.com/netty/netty/releases/tag/netty-4.1.135.Final), [ref-5](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final).

Evidence notes

The vulnerability was reported by an unknown source and is tracked by CVE-2026-46340. The official CVE record can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-46340). Additional information can be found at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-46340) and [ref-6](https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch).

Official resources