HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44893Published Modified CNA GitHub_M

CVE-2026-44893: Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length

Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a memory-leak vulnerability in the netty-codec-haproxy component of the Netty network application framework. A remote, unauthenticated attacker can send a crafted HAProxy PROXY protocol v2 message containing a PP2_TYPE_SSL TLV with a length value below 5 bytes, triggering an uncaught IndexOutOfBoundsException that leaves a retained slice on the pooled cumulation buffer unreleased. Repeated exploitation exhausts the JVM off-heap memory pool and causes a denial of service by crashing or hanging the affected service. No patched versions have been published upstream yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-44893 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including internally built images that bundle Netty as a transitive dependency.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.5 (HIGH) and weights it against each environment's compliance policy to determine routing priority; alerts are directed to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment versions 4.1.135.Final or 4.2.15.Final are released upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix lands.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Netty service over the network and send a crafted PROXY protocol v2 connection message.

  • AuthenticationNot required

    No credentials or prior session are needed; the malformed TLV can be sent in the initial proxy protocol handshake before any authentication takes place.

  • Victim interactionNot required

    No user action is required; the vulnerability is triggered entirely by the attacker sending a malformed network message.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker only needs to set the TLV length field to a value below 5, which consistently triggers the uncaught exception on any affected version.

Blast Radius

  • The affected service exhausts its JVM off-heap (direct) memory pool as unreleased retained slices accumulate across repeated malformed requests.
  • Once memory is exhausted, the service crashes or becomes unresponsive, taking down all traffic it handles including legitimate connections.
  • There is no confidentiality or integrity impact: the attacker cannot read data or modify state, only disrupt availability.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-44893, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Netty releases versions 4.1.135.Final or 4.2.15.Final. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression run and a PR opened against any affected workloads, with no manual steps required. In the meantime, compensating controls available to consider include network-policy rules that restrict which upstream sources can send PROXY protocol v2 connections to Netty services, egress and ingress filtering at the load balancer or sidecar proxy layer to validate or strip HAProxy PROXY headers before they reach the application, and disabling HAProxy PROXY protocol support on any Netty listener that does not strictly require it via feature-flag or configuration gating. HarborGuard will surface the patch availability notification through the same policy-weighted routing used for the initial alert, ensuring the right team is notified without delay.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References