SwiftNIO Vulnerabilities Modify Index Range Logic

EXECUTIVE SUMMARY:

Two vulnerabilities have been found in the SwiftNIO networking library. The issues include an out-of-bounds memory write caused by a UInt32 overflow in ByteBuffer operations and an uncontrolled resource consumption flaw in the NIOHTTP1 HTTPDecoder that permits unbounded header blocks. Both weaknesses can be triggered by a remote adversary supplying crafted indices, lengths, or HTTP header fields. In production environments, the memory-corruption flaw may lead to arbitrary code execution, while the decoder issue can cause denial-of-service conditions through excessive memory consumption or application crashes. Organizations relying on SwiftNIO for server or client applications face potential service disruption and data integrity risks.[emaillocker id="1283"]

CVE-2026-43671 with a CVSS score of 8.3 : An out‑of‑bounds write arises when attacker‑controlled index or length values exceeding UInt32.max are passed to ByteBuffer methods, allowing memory corruption on 64‑bit platforms; exploitation requires the ability to influence these parameters in network‑related code.

CVE-2026-28980 with a CVSS score of 8.7 : The HTTPDecoder accepts unlimited header fields and total header size, enabling a remote peer to send massive numbers of small headers that exhaust server memory or trigger crashes in downstream frameworks; no authentication is required to launch the attack.

RECOMMENDATION:

• We recommend you to update github.com/apple/swift-nio to below version:
• https://github.com/apple/swift-nio/releases

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-r3rc-9hpw-54v9

https://github.com/advisories/GHSA-rj37-6j9x-74q6