CVE-2026-44248— Netty: Resource exhaustion in MqttDecoder
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| io.netty | netty-codec-mqtt | >= 4.2.0.Alpha1, < 4.2.13.Final | affected |
< 4.1.133.Final | affected | ||
| netty | netty | >= 4.2.0.Alpha1, < 4.2.13.Final | affected |
< 4.1.133.Final | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44248
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Netty: Resource exhaustion in MqttDecoder
Source: NVD (National Vulnerability Database)
Vulnerability Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Netty 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 4.2.13.Final之前版本和4.1.133.Final之前版本存在资源管理错误漏洞,该漏洞源于MQTT 5标头Properties部分在应用消息大小限制前被解析和缓冲,导致CPU和内存资源消耗过高。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| netty | netty | >= 4.2.0.Alpha1, < 4.2.13.Final | - | |
| io.netty | netty-codec-mqtt | >= 4.2.0.Alpha1, < 4.2.13.Final | - |
II. Public POCs for CVE-2026-44248
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44248
请登录查看更多情报信息。
- https://github.com/netty/netty/security/advisories/GHSA-jfg9-48mv-9qgxx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44248
Same Patch Batch · netty · 2026-05-13 · 12 CVEs total
| CVE-2026-42587 | 7.5 HIGH | Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy e |
| CVE-2026-42582 | 7.5 HIGH | Netty: HTTP/3 QPACK literal unbounded allocation |
| CVE-2026-42579 | 7.5 HIGH | Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder) |
| CVE-2026-42583 | 7.5 HIGH | Netty: Lz4FrameDecoder resource exhaustion |
| CVE-2026-42577 | 7.5 HIGH | Netty: epoll transport denial of service via RST on half-closed TCP connection |
| CVE-2026-42584 | 7.3 HIGH | Netty: HttpClientCodec response desynchronization |
| CVE-2026-42586 | 6.8 MEDIUM | Netty: CRLF Injection in Netty Redis Codec Encoder |
| CVE-2026-42580 | 6.5 MEDIUM | Netty: HTTP Request Smuggling due to incorrect chunk size parsing |
| CVE-2026-42585 | 6.5 MEDIUM | Netty: HTTP Request Smuggling due to malformed Transfer-Encoding |
| CVE-2026-42581 | 5.8 MEDIUM | Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization |
| CVE-2026-42578 | Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation |
IV. Related Vulnerabilities
Same product: netty
- CVE-2026-42587
Netty: HttpContentDecompressor maxAllocation bypass via Cont - CVE-2026-42586
Netty: CRLF Injection in Netty Redis Codec Encoder - CVE-2026-42585
Netty: HTTP Request Smuggling due to malformed Transfer-Enco - CVE-2026-42584
Netty: HttpClientCodec response desynchronization - CVE-2026-42583
Netty: Lz4FrameDecoder resource exhaustion
Same vendor: netty
- CVE-2026-42587
Netty: HttpContentDecompressor maxAllocation bypass via Cont - CVE-2026-42586
Netty: CRLF Injection in Netty Redis Codec Encoder - CVE-2026-42585
Netty: HTTP Request Smuggling due to malformed Transfer-Enco - CVE-2026-42584
Netty: HttpClientCodec response desynchronization - CVE-2026-42583
Netty: Lz4FrameDecoder resource exhaustion
Same weakness: CWE-400
- CVE-2026-42304
Twisted: Denial of Service (DoS) in twisted.names via Crafte - CVE-2026-42587
Netty: HttpContentDecompressor maxAllocation bypass via Cont - CVE-2026-42583
Netty: Lz4FrameDecoder resource exhaustion - CVE-2026-44456
Hono: bodyLimit() can be bypassed for chunked / unknown-leng - CVE-2026-44241
Micronaut Framework: Unbounded formattersCache in TimeConver
V. Comments for CVE-2026-44248
No comments yet