HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46340Published Modified CNA GitHub_M

CVE-2026-46340: Netty: SCTP reassembly nests buffers without bound

Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unbounded memory growth vulnerability exists in the SCTP message reassembly handler of Netty's netty-transport-sctp component. The flaw is reachable over the network with no authentication required, and an attacker can exploit it by sending a continuous stream of single-byte SCTP DATA chunks with the 'complete' flag never set, causing the JVM process to exhaust available heap memory. Successful exploitation results in a denial of service, crashing or rendering unresponsive any service that uses Netty's SCTP transport. No fix versions have been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle netty-transport-sctp as a transitive dependency. Any image containing an affected version (netty-transport-sctp >= 4.2.0.Final and < 4.2.15.Final, or < 4.1.135.Final) is flagged in the customer's registry and CI pipeline scan results.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and surfaces it accordingly in each customer's findings feed, weighted against that environment's compliance policy configuration. Triage routing directs the finding to the team or inbox the customer has mapped to HIGH-severity network-reachable issues.

Available
Patch

Because no upstream fix has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project ships versions 4.1.135.Final or 4.2.15.Final. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to open an SCTP connection to the target service over the network; no local access or physical presence is needed.

  • AuthenticationNot required

    No credentials or session token are needed; any peer that can establish an SCTP connection can send the malformed fragment stream.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no user action, click, or session from a legitimate user is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker only needs to send a continuous stream of 1-byte chunks without setting the 'complete' flag, with no race conditions or memory-layout dependencies to manage.

Blast Radius

  • Heap memory is consumed without bound by the growing composite-buffer chain, eventually exhausting the JVM's available memory.
  • The affected Netty-based service crashes or stops accepting and processing requests, causing a full denial of service.
  • Each distinct SCTP stream identifier opened by the attacker gets its own map entry, multiplying memory pressure and accelerating heap exhaustion.
  • Recovery requires a process restart; any in-flight state held in the Netty pipeline, such as partially assembled messages for legitimate peers, is lost.

How HarborGuard Handles This

Available on HarborGuard: images containing affected versions of netty-transport-sctp are detected and flagged on every scan cycle. Because no upstream fix is currently published, HarborGuard monitors the Netty advisory on each ingest cycle and will trigger a patched-image rebuild automatically the moment versions 4.1.135.Final or 4.2.15.Final are confirmed upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. While awaiting the upstream fix, teams can reduce exposure through network-policy controls that restrict which peers are permitted to open SCTP connections to the affected service, egress and ingress filtering at the load-balancer or sidecar layer, and disabling the SCTP transport handler entirely if SCTP is not required by the application, using a feature-flag or configuration change rather than waiting for a code-level patch.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References