Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty, a network application framework, has a flaw in its HAProxy PROXY protocol v2 decoder where nested PP2_TYPE_SSL type-length-value records at depth two or greater cause a subtle reference-count leak. The decoder processes the header without throwing an exception, forwards the message downstream, and normally releases the HAProxyMessage object, yet the underlying pooled buffer remains permanently pinned. This results in a memory leak that can deplete either native or heap memory, potentially leading to application slowdown, out‑of‑memory errors, or restart. The weakness is a classic memory‑management defect under CWE‑401.

Affected Systems

The vulnerability affects the Netty library, specifically all versions prior to 4.1.135.Final and 4.2.15.Final. Any application that integrates Netty and uses the HAProxy PROXY protocol v2 support is in scope; updating to the patched releases removes the issue.

Risk and Exploitability

At a CVSS score of 8.7 the vulnerability is high severity. The EPSS score of < 1% indicates a very low but non‑zero probability of exploitation, and the flaw is not listed in CISA KEV, so there are no publicly known exploits currently. The likely attack vector is remote: an attacker can connect to a Netty‑based service that exposes the HAProxy v2 codec and send a specially crafted header with nested SSL TLVs. The memory exhaustion can be triggered repeatedly, making it a denial‑of‑service attack that targets resource availability rather than confidentiality or integrity.

Generated by OpenCVE AI on June 12, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final, which contain the fixed reference‑count logic.
  • If a patch is not immediately possible, disable HAProxy PROXY protocol v2 support or add middleware that rejects headers containing nested PP2_TYPE_SSL TLVs beyond the first level.
  • Implement connection rate limiting or other throttling mechanisms to mitigate repeated memory exhaustion attempts.

Generated by OpenCVE AI on June 12, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h2qv-fj59-j46j Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:19:45.689Z

Reserved: 2026-05-20T18:25:25.707Z

Link: CVE-2026-48059

cve-icon Vulnrichment

Updated: 2026-06-12T16:14:22.148Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:30.720

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-48059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime