CVE-2026-44248
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| netty | netty | >= 4.2.0.Alpha1, < 4.2.13.Final | affected |
| netty | netty | < 4.1.133.Final | affected |
| io.netty | netty-codec-mqtt | >= 4.2.0.Alpha1, < 4.2.13.Final | affected |
| io.netty | netty-codec-mqtt | < 4.1.133.Final | affected |
Weaknesses
- CWE-400: CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
netty: io.netty/netty-codec-mqtt: Netty: Denial of Service due to excessive resource consumption from crafted MQTT 5 header
Additional References
- https://access.redhat.com/security/cve/CVE-2026-44248
- https://bugzilla.redhat.com/show_bug.cgi?id=2477231
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44248.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.