← All CVEs

CVE-2026-48059

HIGH 8.7

Published 2026-06-12 · Last modified 2026-06-30

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

ELEVATED IMPACT

Severe if exploited (CVSS 8.7), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.6%chance of exploitation in 30 days · 44th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

8.7CVSS 4.0 · HIGH

  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Netty Red Hat

Products Netty Red Hat Build Of Apache Camel 3.33 For Quarkus 3.33.2.Sp1 Red Hat Build Of Quarkus 3.27.4.Sp1 Red Hat Build Of Quarkus 3.33.2.Sp1 Cryostat 4 Openshift Serverless Red Hat Amq Broker 7 Red Hat Build Of Apache Camel Hawtio 4

Weakness (CWE)

  • CWE-401: Memory leak
  • CWE-1286

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS