HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45416Published Modified CNA GitHub_M

CVE-2026-45416: Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a memory exhaustion vulnerability in the Netty network framework, specifically in its SNI (Server Name Indication) TLS handshake handler. The flaw is reachable over the network with no authentication required, and exploiting it causes the server to immediately allocate up to 16 MiB of heap memory per connection by sending just nine crafted bytes in a TLS ClientHello message. Successful exploitation allows a remote attacker to exhaust JVM heap memory and crash or severely degrade the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment fix versions are published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-45416 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in registries and CI pipelines, including custom-built images that bundle Netty as a dependency.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) and applies per-environment compliance policy weighting to determine urgency and routing, directing the finding to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix versions have been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Netty ships a remediated release upstream. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the TLS listener over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    The malicious ClientHello can be sent before any authentication takes place, so no credentials or session token are needed.

  • Victim interactionNot required

    No user action is required; the server processes the crafted TLS record automatically upon receipt.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: sending a nine-byte ClientHello with a crafted 24-bit handshake length field is sufficient to trigger the oversized allocation on any unpatched endpoint using the default SniHandler constructors.

Blast Radius

  • The attacker forces an immediate 16 MiB unpooled heap allocation per connection, retained until the channel closes.
  • Repeated connections exhaust JVM heap memory, causing out-of-memory errors and crashing the Netty-based service.
  • All traffic handled by the affected server process is disrupted, including legitimate TLS connections from real clients.
  • Depending on deployment topology, a crash of the Netty process can take down co-located services or trigger cascading failures in dependent systems.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists at this time, HarborGuard continuously monitors the Netty advisory on every ingest cycle and will surface a patched-image rebuild the moment versions 4.1.135.Final or 4.2.15.Final (or later) are published. In the interim, compensating controls worth considering include network-policy rules that restrict which source IPs may initiate TLS handshakes to affected services, connection-rate limiting at the load balancer or ingress layer to reduce the volume of attack connections, and replacing default SniHandler constructor calls with explicit constructors that set a non-zero maxClientHelloLength and a handshake timeout, which re-enables the length guard and schedules a timeout even on unpatched builds. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once the upstream release is available.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References