HIGHCVE-2026-42583Published Modified CNA GitHub_M
CVE-2026-42583: Netty: Lz4FrameDecoder resource exhaustion
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 3
Affected packages
- netty / netty>= 4.2.0.Alpha1, < 4.2.13.Final · < 4.1.133.Final
- io.netty / netty-codec< 4.1.133.Final
- io.netty / netty-codec-compression< 4.2.13.Final
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H