PatchSiren cyber security CVE debrief
CVE-2026-48059 netty CVE debrief
A memory leak vulnerability exists in Netty's HAProxy PROXY protocol v2 codec. This issue can occur when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs at depth two or greater. The leak happens on the successful parse path, with no exception thrown, and the message fires downstream. However, the underlying cumulation buffer remains permanently pinned. This issue affects Netty versions prior to 4.1.135.Final and 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final who utilize the HAProxy PROXY protocol v2 codec should be aware of this memory leak vulnerability.
Technical summary
The HAProxy PROXY protocol v2 codec in Netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs at depth two or greater. This leak occurs on the successful parse path, with no exception thrown.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Review and monitor your Netty application's memory usage to detect potential issues.
Evidence notes
The vulnerability has been patched in Netty versions 4.1.135.Final and 4.2.15.Final. For more information, refer to resourceLinkAnnotations with linkId values 'ref-4', 'ref-5', and 'ref-6'.
Official resources
CVE-2026-48059 was published on 2026-06-12T16:16:30.720Z and modified on 2026-06-12T16:18:27.287Z.