HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44249Published Modified CNA GitHub_M

CVE-2026-44249: Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An access-control bypass vulnerability exists in the netty-handler component of the Netty network application framework. A remote attacker with no authentication can exploit a flawed masking operation in IpSubnetFilterRule.compareTo() to make a valid public IPv6 address appear to match (or not match) a configured subnet rule, bypassing IP-based allow or deny lists. Successful exploitation gives the attacker full read, write, and availability impact against services relying on those subnet filters for access control. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle netty-handler. Any image containing an affected version of the netty or netty-handler artifact is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 HIGH using the published v3.1 vector and weights it further against each environment's compliance policy, so teams with stricter network-exposure policies will see it surfaced at elevated priority. Triage tickets are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the corrected version the moment 4.1.135.Final or 4.2.15.Final is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request opened against affected workloads will follow automatically once the upstream fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Netty service over the network; the vulnerable code path is exposed on any network-accessible endpoint that relies on IPv6 subnet filtering.

  • AuthenticationNot required

    No credentials are needed; the bypass is exercised at the network filtering layer before any authentication check.

  • Victim interactionNot required

    No user interaction is required; the attacker sends crafted IPv6 traffic directly to the service.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker may need to account for specific environmental conditions such as the exact subnet rule configuration and IPv6 address construction to reliably trigger the masking error.

Blast Radius

  • A successful attacker bypasses IPv6 subnet allow or deny rules and reaches service endpoints that should have been blocked, reading data those endpoints expose such as stored records, session state, or internal API responses.
  • The attacker can issue write operations to endpoints gated only by the bypassed subnet filter, modifying persisted application data or triggering privileged actions.
  • If the attacker directs traffic at resource-intensive paths now reachable past the filter, they can exhaust service resources and crash the affected Netty process.
  • Any downstream service that trusts access decisions made by the Netty layer inherits the same exposure, widening the reachable attack surface beyond the initial entry point.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle so that a patched-image rebuild becomes available immediately when 4.1.135.Final or 4.2.15.Final is published. In the interim, compensating controls worth considering include adding a network policy to restrict IPv6 traffic to the affected service at the infrastructure layer (Kubernetes NetworkPolicy or equivalent), applying egress filtering on upstream load balancers so that only expected source prefixes reach Netty, and where architecture permits, disabling or replacing the IpSubnetFilterRule-based access control with an authentication layer that does not rely on IP matching. For customers with auto-remediation enabled, HarborGuard will trigger a rebuild, run regression tests, and open a pull request against affected workloads as soon as the patched artifact is available in the upstream registry.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References