EXECUTIVE SUMMARY:
Netty vulnerabilities span transport, DNS codec, HTTP/3 QPACK, LZ4, HTTP client, and decompression modules, leading to denial-of-service conditions, memory exhaustion, CPU spin loops, and protocol parsing inconsistencies. Key issues include improper handling of half-closed TCP connections causing stale channels and CPU usage spikes, DNS codec input validation failures enabling cache poisoning and memory abuse, unsafe HTTP/3 QPACK literal decoding leading to massive memory allocation, LZ4 frame decoding that pre-allocates large buffers from untrusted headers, HTTP/1.1 pipelining desynchronization causing response misbinding, and decompression handling bypasses in Brotli/Zstd/Snappy that ignore configured memory limits. These flaws primarily stem from missing input validation, improper resource lifecycle management, and inconsistent enforcement of protocol constraints, making Netty-based applications vulnerable to denial-of-service and data integrity issues. CVE-2026-42577 with a CVSS score of 7.5 – A flaw in Netty epoll transport where half-closed TCP connections followed by RST packets are not properly cleaned up, leading to stale channels and a potential CPU event-loop busy spin, causing denial of service through resource exhaustion. CVE-2026-42579 with a CVSS score of 7.5 – It is an input validation flaw in the DNS codec that allows malformed domain names,leading to DNS cache poisoning, domain validation bypass, and unbounded memory allocation during decoding. CVE-2026-42582 with a CVSS score of 7.5 - It is an HTTP/3 QPACK decoder flaw where excessively large buffers are allocated based on attacker-controlled length fields before validating available input, enabling gigabyte-scale memory allocation from minimal network input and causing a DoS. CVE-2026-42583 with a CVSS score of 7.5 - It is a vulnerability in LZ4FrameDecoder where premature buffer allocation uses untrusted decompressed length values, allowing attackers to trigger large memory allocations with very small compressed payloads. CVE-2026-42584 with a CVSS score of 7.3 - It is a flaw in HTTP/1.1 HttpClientCodec that mismanages pipelined responses with 1xx intermediate headers, leading to request-response desynchronization, incorrect body parsing, and potential data integrity issues on persistent connections. CVE-2026-42587 with a CVSS score of 7.5 - It is a flaw in HttpContentDecompressor where maxAllocation limits are not enforced for Brotli, Zstd, and Snappy encodings, allowing decompression bombs that bypass gzip protections and lead to uncontrolled memory consumption and OOM crashes.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Netty vulnerabilities span transport, DNS codec, HTTP/3 QPACK, LZ4, HTTP client, and decompression modules, leading to denial-of-service conditions, memory exhaustion, CPU spin loops, and protocol parsing inconsistencies. Key issues include improper handling of half-closed TCP connections causing stale channels and CPU usage spikes, DNS codec input validation failures enabling cache poisoning and memory abuse, unsafe HTTP/3 QPACK literal decoding leading to massive memory allocation, LZ4 frame decoding that pre-allocates large buffers from untrusted headers, HTTP/1.1 pipelining desynchronization causing response misbinding, and decompression handling bypasses in Brotli/Zstd/Snappy that ignore configured memory limits. These flaws primarily stem from missing input validation, improper resource lifecycle management, and inconsistent enforcement of protocol constraints, making Netty-based applications vulnerable to denial-of-service and data integrity issues. CVE-2026-42577 with a CVSS score of 7.5 – A flaw in Netty epoll transport where half-closed TCP connections followed by RST packets are not properly cleaned up, leading to stale channels and a potential CPU event-loop busy spin, causing denial of service through resource exhaustion. CVE-2026-42579 with a CVSS score of 7.5 – It is an input validation flaw in the DNS codec that allows malformed domain names,leading to DNS cache poisoning, domain validation bypass, and unbounded memory allocation during decoding. CVE-2026-42582 with a CVSS score of 7.5 - It is an HTTP/3 QPACK decoder flaw where excessively large buffers are allocated based on attacker-controlled length fields before validating available input, enabling gigabyte-scale memory allocation from minimal network input and causing a DoS. CVE-2026-42583 with a CVSS score of 7.5 - It is a vulnerability in LZ4FrameDecoder where premature buffer allocation uses untrusted decompressed length values, allowing attackers to trigger large memory allocations with very small compressed payloads. CVE-2026-42584 with a CVSS score of 7.3 - It is a flaw in HTTP/1.1 HttpClientCodec that mismanages pipelined responses with 1xx intermediate headers, leading to request-response desynchronization, incorrect body parsing, and potential data integrity issues on persistent connections. CVE-2026-42587 with a CVSS score of 7.5 - It is a flaw in HttpContentDecompressor where maxAllocation limits are not enforced for Brotli, Zstd, and Snappy encodings, allowing decompression bombs that bypass gzip protections and lead to uncontrolled memory consumption and OOM crashes.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update netty to below version: CVE-2026-42577: https://github.com/advisories/GHSA-rwm7-x88c-3g2p CVE-2026-42579: https://github.com/advisories/GHSA-cm33-6792-r9fm CVE-2026-42582: https://github.com/advisories/GHSA-2c5c-chwr-9hqw CVE-2026-42583: https://github.com/advisories/GHSA-mj4r-2hfc-f8p6 CVE-2026-42584: https://github.com/advisories/GHSA-57rv-r2g8-2cj3 CVE-2026-42587: https://github.com/advisories/GHSA-f6hv-jmp6-3vwv
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rwm7-x88c-3g2p
https://github.com/advisories/GHSA-cm33-6792-r9fm
https://github.com/advisories/GHSA-2c5c-chwr-9hqw
https://github.com/advisories/GHSA-mj4r-2hfc-f8p6
https://github.com/advisories/GHSA-57rv-r2g8-2cj3
https://github.com/advisories/GHSA-f6hv-jmp6-3vwv