HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48059Published Modified CNA GitHub_M

CVE-2026-48059: Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unbalanced reference count bug in the Netty HAProxy PROXY protocol v2 codec causes a permanent memory leak on every affected connection. The vulnerability is reachable over the network with no authentication required: any client that sends a syntactically valid PROXY protocol v2 header containing nested PP2_TYPE_SSL TLV records at depth two or greater triggers the leak. Successful exploitation exhausts available native or heap memory, crashing or severely degrading the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fix for the affected version range.

HarborGuard Coverage

Detection

Detection of CVE-2026-48059 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle Netty as a dependency.

Available
Triage

Triage is available with a CVSS v4.0 base score of 8.7 (HIGH), weighted against each environment's compliance policy to determine urgency and routed to the appropriate team inbox within the customer org.

Available
Patch

No upstream fix versions have been published for CVE-2026-48059 at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Netty versions 4.1.135.Final or 4.2.15.Final, or later, are confirmed as fixes by the upstream project.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable codec is exposed over the network; an attacker must be able to open a TCP connection to the service and send a crafted PROXY protocol v2 header.

  • AuthenticationNot required

    No credentials or session token are needed; any unauthenticated client connection is sufficient to trigger the leak.

  • Victim interactionNot required

    No user or operator action is required; the attacker sends the malformed header autonomously.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: the trigger is a syntactically valid header with nested TLVs, requiring no race conditions, memory-layout guessing, or environmental preconditions.

Blast Radius

  • Each crafted connection permanently pins a pooled ByteBuf allocation, preventing the allocator from reclaiming that memory for the lifetime of the process.
  • An attacker who repeatedly opens connections exhausts the native or heap memory pool available to the JVM, causing allocation failures across all threads.
  • Once memory is exhausted the service crashes or becomes unable to accept new connections, producing a complete denial of service for all users of the affected application.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged on every image found to include a Netty artifact in the affected range (4.2.0.Final up to 4.2.15.Final, or any 4.1.x release before 4.1.135.Final). Because no upstream fix has been published yet, HarborGuard monitors the advisory on every feed-ingest cycle. The moment Netty ships a confirmed fix, a patched-image rebuild becomes available automatically; for customers with auto-remediation enabled, that rebuild is followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available through HarborGuard network policy include isolating services that use the HAProxy codec behind a trusted load balancer or reverse proxy that strips or validates PROXY protocol v2 headers before forwarding, and applying egress-filtering rules that prevent untrusted clients from reaching the raw TCP port directly.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References