Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A failure to enforce the maxAllocation parameter in Netty’s HttpContentDecompressor allows an attacker to supply a deeply compressed payload that bypasses the memory limit when the Content‑Encoding header is set to brotli, zstd, or snappy. The decompressor then allocates an unbounded amount of memory, potentially exhausting system resources and causing an out‑of‑memory denial of service. This weakness is identified as CWE‑400 and CWE‑770, the former being a generic resource‑exhaustion flaw and the latter indicating an insufficient system capability to handle the resource demands.

Affected Systems

The vulnerability affects Netty components io.netty:netty-codec-http, io.netty:netty-codec-http2, and the core netty library. All releases before 4.2.13.Final and 4.1.133.Final are susceptible, including earlier 4.x and 4.1.x versions. HTTP/2 connections through DelegatingDecompressorFrameListener are also impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates substantial severity. The EPSS score of 0.00018 (≈0.018 %) indicates a very low but non‑zero probability of exploitation, consistent with the fact that the flaw requires a specially crafted HTTP request. The vulnerability is not listed in CISA’s KEV catalog, yet it can be triggered wherever Netty is used to decode compressed HTTP traffic. The likely attack vector is an HTTP request containing a maliciously compressed payload with a Content‑Encoding header set to br, zstd, or snappy, causing the server to allocate memory beyond the configured limit.

Generated by OpenCVE AI on May 29, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty resources to version 4.2.13.Final or later, or 4.1.133.Final or later.
  • If an upgrade is not immediately possible, configure the Netty pipeline to reject or drop requests that use Content‑Encoding headers of brotli, zstd, or snappy.
  • Continuously monitor memory usage of Netty processes and configure automatic restarts or OOM detection mechanisms to mitigate prolonged resource exhaustion.

Generated by OpenCVE AI on May 29, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f6hv-jmp6-3vwv Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
History

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 18 May 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Io.netty
Io.netty netty-codec-http
Io.netty netty-codec-http2
Netty
Netty netty
Vendors & Products Io.netty
Io.netty netty-codec-http
Io.netty netty-codec-http2
Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Io.netty Netty-codec-http Netty-codec-http2
Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:44:09.298Z

Reserved: 2026-04-28T17:26:12.086Z

Link: CVE-2026-42587

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:24.460

Modified: 2026-05-18T12:20:06.340

Link: CVE-2026-42587

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T18:22:21Z

Links: CVE-2026-42587 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T02:15:16Z

Weaknesses