Netty: SCTP reassembly nests buffers without bound

Vulnerability

In Netty versions <= 4.1.134.Final and >= 4.2.0.Final, <= 4.2.14.Final, the SCTP message fragment handler creates a deeply nested CompositeByteBuf for each non-complete fragment. This occurs when processing SctpMessage fragments, where each new fragment wraps the previous accumulator into a new composite buffer. There is no limit on the number of fragments, total bytes, or stream identifiers, allowing an attacker to continuously send incomplete fragments to grow this structure indefinitely [3], [4].

Exploitation

An attacker needs network access to the vulnerable Netty service. By sending a series of incomplete SCTP DATA chunks without the complete flag set, an attacker can trigger the creation of an N-deep chain of composite buffers. This process can be initiated with small data chunks and repeated without any limits on the total size or number of stream identifiers, leading to resource exhaustion [3], [4].

Impact

Successful exploitation of this vulnerability leads to memory exhaustion, potentially causing a denial-of-service (DoS) condition. The recursive nature of accessing data in the deeply nested composite buffers consumes significant memory resources, preventing the application from functioning correctly [3], [4].

Mitigation

This vulnerability is fixed in Netty version 4.1.135.Final released on 2026-06-08 and 4.2.15.Final released on 2026-06-08. Users should upgrade to these patched versions or later. No workarounds are specified in the available references [1], [2], [3].