Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty, a network application framework, has a flaw in its HAProxy PROXY protocol v2 decoder where nested PP2_TYPE_SSL type-length-value records at depth two or greater cause a subtle reference‑count leak. The decoder processes the header without throwing an exception, forwards the message downstream, and normally releases the HAProxyMessage object, yet the underlying pooled buffer remains permanently pinned. This results in a memory leak that can deplete either native or heap memory, potentially leading to application slowdown, out‑of‑memory errors, or restart. The weakness is a classic memory‑management defect under CWE‑401 and a reference‑count management error under CWE‑1286.

Affected Systems

The vulnerability affects the Netty library, specifically all versions prior to 4.1.135.Final and 4.2.15.Final. Any application that integrates Netty and uses the HAProxy PROXY protocol v2 support is in scope; updating to the patched releases removes the issue.

Risk and Exploitability

At a CVSS score of 8.7 the vulnerability is high severity. The EPSS score of < 1% indicates a very low but non‑zero probability of exploitation, and the flaw is not listed in CISA KEV, so there are no publicly known exploits currently. The likely attack vector is remote: an attacker can connect to a Netty‑based service that exposes the HAProxy v2 codec and send a specially crafted header with nested SSL TLVs. The memory exhaustion can be triggered repeatedly, making it a denial‑of‑service attack that targets resource availability rather than confidentiality or integrity.

Generated by OpenCVE AI on June 13, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final, which contain the fixed reference‑count logic.
  • If a patch is not immediately possible, disable HAProxy PROXY protocol v2 support or add middleware that rejects headers containing nested PP2_TYPE_SSL TLVs beyond the first level.
  • Implement connection rate limiting or other throttling mechanisms to mitigate repeated memory exhaustion attempts.

Generated by OpenCVE AI on June 13, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h2qv-fj59-j46j Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
History

Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Sat, 13 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:09:59.156Z

Reserved: 2026-05-20T18:25:25.707Z

Link: CVE-2026-48059

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:49.211Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:30.720

Modified: 2026-06-15T01:56:30.947

Link: CVE-2026-48059

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T14:42:44Z

Links: CVE-2026-48059 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T13:30:09Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-401

    Missing Release of Memory after Effective Lifetime