These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-50560 is a vulnerability in Netty, a network application framework. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. The vulnerability is caused by the `SETTINGS_MAX_HEADER_LIST_SIZE` setting in the http2 specification. When a client sends this setting to Netty, it can cause Netty to behave in a way that is [truncated]
CVE-2026-50020 is a vulnerability in Netty's HttpObjectDecoder. Prior to versions 4.1.135.Final and 4.2.15.Final, the decoder skips certain bytes, including non-CRLF control characters, which can lead to request-boundary confusion in pipelined or multiplexed transports. This vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity.
A vulnerability was discovered in Netty, a network application framework, affecting the RedisArrayAggregator component. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator pre-allocates an ArrayList with an initial capacity equal to the RESP array element count declared in an array header. This count is taken from the wire before the corresponding child messages exist, allowing a sm [truncated]
CVE-2026-50010 is a HIGH severity vulnerability in Netty, a network application framework. The issue arises from how Netty handles trust managers. Specifically, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper. This wrapper extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authTyp [truncated]
CVE-2026-50009 is a vulnerability in Netty, a network application framework. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. This allows an on-path attacker to derive the reset token for the server's current source connection ID from bytes that appear as the connection ID i [truncated]
CVE-2026-48748 is a high-severity vulnerability in the Netty HTTP/3 codec that allows for memory exhaustion via the creation of an infinite number of blocked streams, potentially leading to an Out-of-Memory (OOM) error. This issue was patched in Netty version 4.2.15.Final.
A memory leak vulnerability exists in Netty's HAProxy PROXY protocol v2 codec. This issue can occur when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs at depth two or greater. The leak happens on the successful parse path, with no exception thrown, and the message fires downstream. However, the underlying cumulation buffer remains permanently pinned. This issue affects [truncated]
CVE-2026-48043 is a vulnerability in the Netty network application framework, specifically in the netty-codec-http2 component. The `DelegatingDecompressorFrameListener` class is susceptible to a resource leak due to improper handling of decompressed chunks. This could lead to an Out-of-Memory Error (OOME) and potentially take down the entire JVM. The vulnerability has a CVSS score of 5.3 and is classified [truncated]
A high-severity vulnerability was discovered in Netty, a network application framework. The RedisArrayAggregator handler is susceptible to a denial-of-service attack due to a memory leak. When a Redis pipeline connection closes before a RESP array aggregate completes, the handler retains child messages in its state without releasing them, leading to a permanent leak of pooled direct-memory buffers. This i [truncated]
CVE-2026-47691 is a HIGH severity vulnerability in Netty, a network application framework, that allows for DNS Cache Poisoning due to insufficient validation of NS records in the `DnsResolveContext`. This vulnerability affects Netty versions prior to 4.1.135.Final and 4.2.15.Final. An attacker controlling an authoritative name server for a subdomain can exploit this vulnerability to poison the cache for p [truncated]
CVE-2026-47244 is a vulnerability in Netty's HTTP/2 server implementation. Prior to versions 4.1.135.Final and 4.2.15.Final, the server could allocate excessive stream objects, potentially leading to resource exhaustion and amplification attacks. The issue arises from the DefaultHttp2Connection.DefaultEndpoint initializing maxActiveStreams/maxStreams to Integer.MAX_VALUE and Http2Settings not inserting SE [truncated]
CVE-2026-46340 is a HIGH severity vulnerability in Netty, a network application framework. The vulnerability affects netty-transport-sctp and can cause a Denial of Service (DoS) attack. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, an attacker can grow the accumulator structure indefinitely from tiny 1-byte DATA chunks by never setting the `complete` flag. This can lead to a [truncated]
CVE-2026-45674 is a HIGH severity vulnerability in Netty's DnsResolveContext. The vulnerability fails to validate the origin (bailiwick) of CNAME records in DNS responses, potentially allowing for DNS response spoofing. This issue was patched in Netty versions 4.1.135.Final and 4.2.15.Final.
CVE-2026-45673 is a DNS Cache Poisoning vulnerability in Netty, a network application framework. The vulnerability has a CVSS score of 6.8 and was published on 2026-06-12T15:16:27.417Z. The vulnerability exists in Netty's DNS resolver, which uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS [truncated]
CVE-2026-45536 is a MEDIUM severity vulnerability in Netty, a network application framework. The vulnerability occurs in the netty_unix_socket_recvFd function, where a peer-sent SCM_RIGHTS cmsg carrying two ints can cause a file descriptor leak. This happens when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default) via Epoll/KQueue DomainSocketChannel. The issue is patched in vers [truncated]
CVE-2026-45416 is a vulnerability in the Netty network application framework. The SslClientHelloHandler.decode() method reads the 24-bit TLS handshake length and allocates a buffer of that size. However, the guard against large handshake lengths is disabled when using certain constructors, such as SniHandler(Mapping), SniHandler(AsyncMapping), and AbstractSniHandler(). This allows for a large allocation o [truncated]
CVE-2026-44894 is a vulnerability in Netty's NoQuicTokenHandler. Prior to version 4.2.15.Final, it incorrectly validates tokens, allowing an attacker to bypass the 3× anti-amplification send limit. This could lead to a high-impact attack, with a CVSS score of 7.5.
CVE-2026-44893 is a HIGH severity vulnerability in Netty's netty-codec-haproxy component. When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() is susceptible to IndexOutOfBoundsException if the attacker sets the TLV length below 5. This occurs because `header.retainedSlice(header.readerIndex(), length)` is called before reading the 1-byte client field and 4-byte verify field. The exception propa [truncated]
CVE-2026-44892 is a HIGH severity vulnerability in the Netty network application framework. The `Http3ConnectionHandler` in the Netty HTTP/3 codec has a default configuration that lacks an enforced maximum header size limit. When a peer does not specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This allows a malicious client or server to send an enormous n [truncated]
CVE-2026-44890 is a high-severity vulnerability in Netty, a network application framework. The vulnerability allows an attacker to cause a Denial of Service (DoS) by sending crafted Redis payloads across multiple connections without `r n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. The vulnerability affects netty-codec-re [truncated]
CVE-2026-44250 is a high-severity vulnerability in Netty's netty-codec-redis component. An attacker can cause a Denial of Service (DoS) by sending a crafted Redis payload with deeply nested arrays, leading to memory exhaustion and an OutOfMemoryError. This vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The issue was patched in versions 4.1.135.Final and 4.2.15.Final of Netty.
CVE-2026-44249 is a high-severity vulnerability in Netty's netty-handler component. An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. The issue was patched in versions 4.1.135.Final and 4.2.15.Final.
CVE-2026-48480 is a MEDIUM severity vulnerability in the Netty Incubator Codec OHTTP, a Java language binary HTTP parser. Prior to version 0.0.22.Final, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. This allows an on-path adversary (the OHTTP relay itself, or any MITM on the re [truncated]
CVE-2026-48040 is a vulnerability in the Netty incubator codec.bhttp, a Java language binary HTTP parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations, versions prior to 0.0.22.Final provide a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()` [truncated]
The Netty-Incubator-Codec-Ohttp, a Java language binary HTTP parser, has a vulnerability in its HKDF (Keyed-Hash Message Authentication Code) key material generation. Prior to version 0.0.21.Final, the HKDF_expand function returns a non-NULL value on failure, which is a byte array filled with zeros. This makes it impossible to distinguish between a successful and failed operation. The output of this funct [truncated]
CVE-2026-44248 is a medium-severity uncontrolled resource consumption vulnerability in Netty's MQTT 5 decoder. The flaw exists because the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method executes before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check, allowing decodeProperties [truncated]
Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener fail to enforce the maxAllocation decompression limit for Brotli (br), zstd, and snappy encodings, allowing attackers to bypass memory protections by using alternative Content-Encoding headers. This enables unbounded memory allocation leading to out-of-memory denial of service. The vulnerability affects Netty versions prior to 4.1.133 [truncated]
Netty versions prior to 4.1.133.Final and 4.2.13.Final contain an HTTP request smuggling vulnerability stemming from incorrect parsing of malformed Transfer-Encoding headers. The flaw allows attackers to manipulate how front-end and back-end servers interpret HTTP request boundaries, potentially enabling unauthorized access to internal systems, cache poisoning, or credential hijacking. The vulnerability c [truncated]
CVE-2026-42584 is a Netty HTTP client desynchronization issue affecting versions before 4.1.133.Final and 4.2.13.Final. In the vulnerable flow, HttpClientCodec can pair inbound responses to outbound requests incorrectly when pipelined requests include a GET followed by a HEAD and the server sends a 103 interim response, then a 200 for the GET body, then a 200 for the HEAD. The mismatch can cause the HEAD [truncated]
Netty's Lz4FrameDecoder contains an uncontrolled resource consumption vulnerability (CWE-400/CWE-770) that allows remote attackers to trigger excessive memory allocation. The decoder allocates a ByteBuf sized to the attacker-supplied decompressedLength (up to 32 MB per block) before any LZ4 decompression occurs. A malicious peer can force this allocation with only 21-22 bytes of network traffic, making th [truncated]
Netty's HttpObjectDecoder contains an HTTP request smuggling vulnerability affecting HTTP/1.0 requests. When both Transfer-Encoding: chunked and Content-Length headers are present, the decoder strips the conflicting Content-Length header for HTTP/1.1 but fails to apply the same protection for HTTP/1.0. This causes Netty to decode the body as chunked while preserving Content-Length in the forwarded HttpMes [truncated]
Netty's HTTP chunk size parser contains an integer overflow vulnerability that enables HTTP request smuggling attacks. The flaw occurs when parsing chunked transfer-encoding sizes, where a malformed chunk size value silently overflows the signed 32-bit integer type, causing Netty to misinterpret chunk boundaries. This can desynchronize the HTTP request/response stream between Netty-based servers and downs [truncated]
Netty's DNS codec fails to enforce RFC 1035 domain name constraints during encoding and decoding operations, creating a bidirectional attack surface. Malicious DNS responses can exploit the decoder, while attacker-influenced hostnames can exploit the encoder. The vulnerability affects Netty versions prior to 4.1.133.Final and 4.2.13.Final. This is a HIGH severity issue (CVSS 7.5) with network attack vecto [truncated]
## Summary Netty's epoll transport (versions 4.2.0.Final through 4.2.13.Final) fails to detect TCP RST packets on half-closed connections, causing stale channels to accumulate and, in certain code paths, triggering a 100% CPU busy-loop in the event loop thread. This denial-of-service condition requires no authentication and is remotely exploitable. ## Affected Versions - **Netty**: 4.2.0.Final to 4.2.13.F [truncated]
CVE-2026-33870 is a high-severity vulnerability in Netty, a popular network application framework. It allows for request smuggling attacks due to incorrect HTTP/1.1 chunked transfer encoding extension value parsing. This issue affects Netty versions prior to 4.1.132.Final and 4.2.10.Final. The vulnerability has a CVSS score of 7.5 and is considered high severity. Netty has released patched versions 4.1.13 [truncated]