CVE-2026-44250
- EPSS 0.37%
- Veröffentlicht 11.06.2026 20:49:00
- Zuletzt bearbeitet 30.06.2026 03:19:52
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. T...
CVE-2026-44249
- EPSS 0.55%
- Veröffentlicht 11.06.2026 20:46:14
- Zuletzt bearbeitet 09.07.2026 13:17:17
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFil...
CVE-2026-44248
- EPSS 0.46%
- Veröffentlicht 13.05.2026 18:23:37
- Zuletzt bearbeitet 30.06.2026 03:19:52
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the dec...
CVE-2026-42587
- EPSS 0.86%
- Veröffentlicht 13.05.2026 18:22:21
- Zuletzt bearbeitet 09.07.2026 13:17:16
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This l...
CVE-2026-42586
- EPSS 0.2%
- Veröffentlicht 13.05.2026 18:20:46
- Zuletzt bearbeitet 18.05.2026 18:02:43
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating...
CVE-2026-42585
- EPSS 0.25%
- Veröffentlicht 13.05.2026 18:12:39
- Zuletzt bearbeitet 18.05.2026 12:24:23
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4...
CVE-2026-42584
- EPSS 0.63%
- Veröffentlicht 13.05.2026 18:10:48
- Zuletzt bearbeitet 09.07.2026 13:17:16
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pi...
CVE-2026-42583
- EPSS 0.43%
- Veröffentlicht 13.05.2026 18:09:19
- Zuletzt bearbeitet 18.05.2026 12:22:15
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header ...
CVE-2026-42582
- EPSS 0.44%
- Veröffentlicht 13.05.2026 18:06:55
- Zuletzt bearbeitet 18.05.2026 12:54:49
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for...
CVE-2026-42580
- EPSS 0.36%
- Veröffentlicht 13.05.2026 18:04:03
- Zuletzt bearbeitet 18.05.2026 14:03:25
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.1...