Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Vulnerability

The HAProxy PROXY protocol v2 codec in Netty (io.netty:netty-codec-haproxy) leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs at depth two or greater [1][4]. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned. Affected versions include all prior to netty-4.1.135.Final and netty-4.2.15.Final [2][3].

Exploitation

An attacker with network access can send a crafted HAProxy PROXY protocol v2 header containing nested PP2_TYPE_SSL TLVs. No authentication or special privileges are required. Each such connection causes the successful parse to pin the cumulation buffer, leading to cumulative memory exhaustion [1][4].

Impact

Successful exploitation results in indefinite memory consumption (native or heap) per connection, eventually exhausting available memory and causing denial of service. The application itself releases the HAProxyMessage normally, but the underlying buffer remains pinned [1][4].

Mitigation

Fixed in Netty versions 4.1.135.Final and 4.2.15.Final, released on June 11, 2026 [2][3]. Users should upgrade to these versions or later. No workaround is documented; the advisory recommends updating the io.netty:netty-codec-haproxy dependency.