CVE-2021-37136
Description
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netty's Bzip2Decoder lacks size limits on decompressed data, allowing remote attackers to cause OutOfMemoryError and denial of service via crafted input.
Vulnerability
The Bzip2Decoder in Netty (versions prior to the fix) does not enforce a maximum size on decompressed output. The decoder allocates a buffer based on the block length from the compressed data without validation, leading to excessive memory allocation. All users of Bzip2Decoder are affected. [1][2]
Exploitation
An attacker can send a specially crafted Bzip2 compressed stream that declares a large block length. When the decoder processes this input, it allocates a buffer of that size, potentially exceeding available memory. No authentication or special privileges are required; the attacker only needs to deliver the malicious payload to a Netty-based service that uses Bzip2Decoder. [2]
Impact
Successful exploitation results in an OutOfMemoryError (OOME), causing a denial of service (DoS) as the application crashes or becomes unresponsive. The vulnerability affects availability only; confidentiality and integrity are not directly compromised. [1][2]
Mitigation
The fix was introduced in Netty commit 41d3d61 (merged into version 4.1.68.Final and later). The patch adds a check that throws a DecompressionException if the block length exceeds MAX_BLOCK_LENGTH (defined as MAX_BLOCK_SIZE * BASE_BLOCK_SIZE). Users should upgrade to Netty 4.1.68.Final or later. No workaround is available other than avoiding the use of Bzip2Decoder. [2][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-codecMaven | < 4.1.68.Final | 4.1.68.Final |
org.jboss.netty:nettyMaven | >= 0 | — |
io.netty:nettyMaven | >= 0 | — |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/druid-compatpkg:apk/chainguard/hadoop-fips-3.3.6pkg:apk/wolfi/druid-compatpkg:maven/io.netty/nettypkg:maven/io.netty/netty-codecpkg:maven/org.jboss.netty/nettypkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netty&distro=openSUSE%20Tumbleweedpkg:rpm/suse/netty&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/netty&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/netty&distro=SUSE%20Manager%20Server%20Module%204.3
< 34.0.0-r6+ 10 more
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 3.3.6-r0
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: >= 0
- (no CPE)range: < 4.1.68.Final
- (no CPE)range: >= 0
- (no CPE)range: < 4.1.75-150200.4.6.2
- (no CPE)range: < 4.1.114-1.1
- (no CPE)range: < 4.1.44.Final-150200.3.4.2
- (no CPE)range: < 4.1.44.Final-150300.4.3.2
- (no CPE)range: < 4.1.44.Final-150400.3.3.2
- The Netty project/Nettyv5Range: unspecified
Patches
141d3d61a6160Merge pull request from GHSA-grg4-wf29-r9vv
3 files changed · +15 −7
codec/src/main/java/io/netty/handler/codec/compression/Bzip2BlockDecompressor.java+5 −0 modified@@ -228,6 +228,11 @@ boolean decodeHuffmanData(final Bzip2HuffmanStageDecoder huffmanDecoder) { bwtBlock[bwtBlockLength++] = nextByte; } } + if (bwtBlockLength > MAX_BLOCK_LENGTH) { + throw new DecompressionException("block length exceeds max block length: " + + bwtBlockLength + " > " + MAX_BLOCK_LENGTH); + } + this.bwtBlockLength = bwtBlockLength; initialiseInverseBWT(); return true;
codec/src/main/java/io/netty/handler/codec/compression/Bzip2Constants.java+2 −0 modified@@ -49,6 +49,8 @@ final class Bzip2Constants { static final int MIN_BLOCK_SIZE = 1; static final int MAX_BLOCK_SIZE = 9; + static final int MAX_BLOCK_LENGTH = MAX_BLOCK_SIZE * BASE_BLOCK_SIZE; + /** * Maximum possible Huffman alphabet size. */
codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java+8 −7 modified@@ -291,26 +291,27 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) t } final int blockLength = blockDecompressor.blockLength(); - final ByteBuf uncompressed = ctx.alloc().buffer(blockLength); - boolean success = false; + ByteBuf uncompressed = ctx.alloc().buffer(blockLength); try { int uncByte; while ((uncByte = blockDecompressor.read()) >= 0) { uncompressed.writeByte(uncByte); } - + // We did read all the data, lets reset the state and do the CRC check. + currentState = State.INIT_BLOCK; int currentBlockCRC = blockDecompressor.checkCRC(); streamCRC = (streamCRC << 1 | streamCRC >>> 31) ^ currentBlockCRC; out.add(uncompressed); - success = true; + uncompressed = null; } finally { - if (!success) { + if (uncompressed != null) { uncompressed.release(); } } - currentState = State.INIT_BLOCK; - break; + // Return here so the ByteBuf that was put in the List will be forwarded to the user and so can be + // released as soon as possible. + return; case EOF: in.skipBytes(in.readableBytes()); return;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
26- github.com/advisories/GHSA-grg4-wf29-r9vvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-37136ghsaADVISORY
- www.debian.org/security/2023/dsa-5316ghsavendor-advisoryWEB
- github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.javaghsaWEB
- github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.javaghsaWEB
- github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.javaghsaWEB
- github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020ghsaWEB
- github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vvghsaWEB
- lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20220210-0012ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20220210-0012/mitre
News mentions
0No linked articles in our index yet.