Description
Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs in Netty's SCTP reassembly logic, where each incomplete fragment is wrapped into a new CompositeByteBuf, creating an unbounded chain of buffers. Without any limits on fragment count, total size, or stream identifiers, an attacker can send many small fragments that never set the complete flag, causing the accumulator to grow indefinitely. The effect is uncontrolled memory allocation that may exhaust the JVM heap and lead to application crashes or significant performance degradation. This weakness is a classic case of uncontrolled memory consumption (CWE‑770).

Affected Systems

Affected instances are Netty implementations that use the netty‑transport-sctp module in versions prior to 4.1.135.Final and 4.2.15.Final. The fix is included in Netty releases 4.1.135.Final and 4.2.15.Final.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is listed as less than 1 %, implying a low predicted likelihood of exploitation, and the vulnerability is not currently in CISA’s KEV catalog. In practice, the attack requires an external host that can send SCTP packets to the target application, so the attack vector is remote over the network. An attacker could achieve denial of service by exhausting memory, potentially causing an out‑of‑memory error or a crash that interrupts service availability.

Generated by OpenCVE AI on June 12, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final or later, which includes the patch that limits the buffer chaining.
  • If an immediate upgrade is not possible, implement application‑level checks to reject or limit SCTP fragments that are excessively large or inordinate, and consider configuring network filters to cap the size of incoming SCTP packets.
  • Monitor JVM memory usage and application logs for signs of abnormal CompositeByteBuf allocations or out‑of‑memory conditions, and alert administrators when thresholds are crossed.

Generated by OpenCVE AI on June 12, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5xrh-qmmq-w6ch Netty: SCTP reassembly nests buffers without bound
History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: SCTP reassembly nests buffers without bound
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:31:09.511Z

Reserved: 2026-05-13T18:37:30.990Z

Link: CVE-2026-46340

cve-icon Vulnrichment

Updated: 2026-06-12T16:31:04.916Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T15:16:27.743

Modified: 2026-06-12T15:55:06.377

Link: CVE-2026-46340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:00:20Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling