{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-44249: Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-44249","status":"final","version":"1","initial_release_date":"2026-06-11T20:46:14.110Z","current_release_date":"2026-06-13T03:55:45.263Z","revision_history":[{"date":"2026-06-11T20:46:14.110Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-44249 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-44249"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-44249"},{"category":"external","summary":"https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86","url":"https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86"},{"category":"external","summary":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","url":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"},{"category":"external","summary":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","url":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}]},"product_tree":{"branches":[{"category":"vendor","name":"netty","branches":[{"category":"product_name","name":"netty","branches":[{"category":"product_version","name":">= 4.2.0.Final, < 4.2.15.Final","product":{"name":"netty netty >= 4.2.0.Final, < 4.2.15.Final","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"< 4.1.135.Final","product":{"name":"netty netty < 4.1.135.Final","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-44249","title":"Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking","notes":[{"category":"description","text":"Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}