Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Netty versions older than 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed before a check on the total message size is performed. This allows an attacker to send a message whose Properties section is extremely large, causing the decoder to allocate many megabytes of memory and repeatedly re‑parse the data until completion. The result is excessive consumption of CPU and memory resources, which can degrade or halt services that use the affected Netty components.

Affected Systems

The flaw affects the Netty framework, specifically the netty-codec-mqtt library and the core netty artifact. All installations running any version earlier than 4.2.13.Final or 4.1.133.Final are vulnerable.

Risk and Exploitability

The CVSS vector indicates a medium severity (score 5.3). Because the vulnerability is triggered by MQTT traffic, it can be exploited remotely by an attacker who can direct malicious MQTT packets to the server. EPSS score is < 1% and the issue is not listed in CISA’s KEV catalog, suggesting that no widespread exploitation is known yet. Nevertheless, the potential for service disruption warrants timely mitigation.

Generated by OpenCVE AI on May 29, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.2.13.Final or 4.1.133.Final to receive the fix for the Properties size check, which addresses uncontrolled resource consumption (CWE-400) and out‑of‑bounds allocation (CWE-770).
  • Configure network firewalls or intrusion prevention systems to limit or block excessive MQTT traffic from untrusted sources, and enforce stricter packet size limits before data reaches the application.
  • Monitor CPU and memory usage for anomalous spikes, and set up alerts to notify administrators if sustained high load indicative of a potential attack occurs.

Generated by OpenCVE AI on May 29, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfg9-48mv-9qgx Netty MQTT: Resource exhaustion in MqttDecoder
History

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 18 May 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Io.netty
Io.netty netty-codec-mqtt
Netty
Netty netty
Vendors & Products Io.netty
Io.netty netty-codec-mqtt
Netty
Netty netty

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: Resource exhaustion in MqttDecoder
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Io.netty Netty-codec-mqtt
Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T19:16:58.429Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44248

cve-icon Vulnrichment

Updated: 2026-05-13T19:11:19.017Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:27.143

Modified: 2026-05-18T12:15:48.300

Link: CVE-2026-44248

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T18:23:37Z

Links: CVE-2026-44248 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T01:30:16Z

Weaknesses