Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s HAProxy codec parses a PP2_TYPE_SSL TLV by first retaining a slice of the buffered data before validating that the TLV length is at least 5 bytes. If an attacker supplies a TLV with a length less than 5, the codec attempts to read a byte and a 4-byte integer that are not present, raising an IndexOutOfBoundsException. This exception propagates out of the decoder but the pre-retained slice is never released, causing a memory leak that grows each time the codec processes a malformed message.

Affected Systems

The issue affects the netty-code-haproxy module of Netty, with vulnerable releases prior to 4.1.135.Final and 4.2.15.Final. Applications that embed those Netty versions and expose a HAProxy listener are susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates significant impact, while the EPSS score of less than 1% and absence from the CISA KEV catalog suggest that real‑world exploitation is currently unlikely. Based on the description, the most probable attack vector is an external client that can send HAProxy traffic to the vulnerable Netty service; such traffic may trigger the exception and gradually exhaust memory, potentially bringing the application to a halt.

Generated by OpenCVE AI on June 12, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final, 4.2.15.Final, or later to apply the patch for the retained slice leak
  • Limit incoming HAProxy traffic to trusted networks by applying firewall rules or network segmentation so that only authorized clients can reach the Netty service
  • Configure the Netty application to catch and handle IndexOutOfBoundsExceptions in the pipeline, ensuring that any leaked buffer slices are released and that the server can recover or gracefully restart if memory consumption rises

Generated by OpenCVE AI on June 12, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cc37-9q2j-3hfv Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
Weaknesses CWE-703
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:04:45.663Z

Reserved: 2026-05-07T21:50:33.545Z

Link: CVE-2026-44893

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T15:16:26.103

Modified: 2026-06-12T15:55:06.377

Link: CVE-2026-44893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-703

    Improper Check or Handling of Exceptional Conditions