Netty: HAProxy SSL TLV parsing leaks retained slice on invalid...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Basic Information

ID CVE-2026-44893

Source GitHub_M

Published Jun 12, 2026 at 14:00

Modified Jun 12, 2026 at 14:04

Affected Product

Vendor netty

Product netty

Version >= 4.2.0.Final, < 4.2.15.Final

Affected Versions netty netty >= 4.2.0.Final, < 4.2.15.Final
netty netty < 4.1.135.Final

CWE Classification

CWE-703

References

{
    "lastseen": "",
    "description": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
    "published": "2026-06-12T14:00:25.801Z",
    "modified": "2026-06-12T14:04:45.663Z",
    "type": "cve",
    "title": "Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length",
    "source": "GitHub_M",
    "references": "https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv\nhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final\nhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
    "id": "CVE-2026-44893",
    "bulletinFamily": "",
    "cwe": [
        "CWE-703"
    ],
    "cvelist": null,
    "sourceData": "netty netty >= 4.2.0.Final, < 4.2.15.Final\nnetty netty < 4.1.135.Final",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "netty",
    "version": ">= 4.2.0.Final, < 4.2.15.Final",
    "vendor": "netty",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length_CVE-2026-44893