Source: netty X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for netty. CVE-2026-44892[0]: | Netty is a network application framework for development of protocol | servers and clients. Prior to version 4.2.15.Final, the default | configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 | codec lacks an enforced maximum header size limit. When a peer does | not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the | implementation defaults to an unbounded limit. This insecure default | configuration allows a malicious client or server to send an | enormous number of headers, leading to a memory exhaustion Denial of | Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a | patch. https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2 CVE-2026-44890[1]: | Netty is a network application framework for development of protocol | servers and clients. In netty-codec-redis prior to versions | 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending | crafted Redis payloads across multiple connections without `\r\n`. | This exhausts the server's direct memory pool | (OutOfDirectMemoryError), preventing legitimate connections from | being processed. Versions 4.1.135.Final and 4.2.15.Final patch the | issue. https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3 CVE-2026-44250[2]: | Netty is a network application framework for development of protocol | servers and clients. In netty-codec-redis prior to versions | 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending | a crafted Redis payload with deeply nested arrays. This forces the | server to allocate a massive number of state objects and | collections, leading to memory exhaustion and an OutOfMemoryError. | Versions 4.1.135.Final and 4.2.15.Final patch the issue. https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2 CVE-2026-44249[3]: | Netty is a network application framework for development of protocol | servers and clients. In netty-handler prior to versions | 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet | rules due to an incorrect masking operation in | IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass | the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the | issue. https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44892 https://www.cve.org/CVERecord?id=CVE-2026-44892 [1] https://security-tracker.debian.org/tracker/CVE-2026-44890 https://www.cve.org/CVERecord?id=CVE-2026-44890 [2] https://security-tracker.debian.org/tracker/CVE-2026-44250 https://www.cve.org/CVERecord?id=CVE-2026-44250 [3] https://security-tracker.debian.org/tracker/CVE-2026-44249 https://www.cve.org/CVERecord?id=CVE-2026-44249 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
