CVE-2026-42583

EUVD-2026-30126
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
nettynetty
𝑥
< 4.1.133
nettynetty
4.2.0 ≤
𝑥
< 4.2.13
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netty
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6
https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6