Netty: Six High-Severity CVEs Disclosed Together — Memory Leaks in Redis, HAProxy, and HTTP/2 Codecs

Key findings

• Six high-severity CVEs disclosed together in Netty on June 11, 2026
• Three Redis codec bugs allow DoS via malformed payloads, nested arrays, or incomplete aggregates
• HAProxy PROXY protocol v2 codec leaks memory on every valid nested TLV parse (CVE-2026-48059)
• HTTP/2 decompression listener leaks pooled ByteBufs during gzip/deflate/zstd decompression (CVE-2026-48043)
• IPv6 subnet filter bypass (CVE-2026-44249, CVSS 8.1) allows public IPs to evade access rules
• All six bugs fixed in Netty 4.1.135.Final and 4.2.15.Final

On June 11, 2026, six high-severity vulnerabilities were disclosed together in the Netty Java network application framework, spanning its Redis codec, HAProxy protocol handler, HTTP/2 decompression pipeline, and IP filtering subsystem. The batch — all published within a nine-hour window — is dominated by memory-exhaustion and denial-of-service (DoS) bugs, with one IPv6 access-control bypass rounding out the set. For organizations running Netty-based protocol servers, the cluster signals that resource accounting in several codec paths was insufficient, leaving servers exposed to crafted network payloads that can silently exhaust heap or direct memory.

Three of the six CVEs target the Redis protocol codec (netty-codec-redis). CVE-2026-44890 (CVSS 7.5) allows an attacker to cause DoS by sending crafted Redis payloads across multiple connections without the required \r\n terminator, exhausting the server's direct memory pool. CVE-2026-44250 (CVSS 7.5) exploits deeply nested Redis arrays that force the server to allocate a massive number of state objects, again leading to memory exhaustion. CVE-2026-48006 (high severity) addresses a lifecycle gap in the RedisArrayAggregator handler: when a Redis pipeline connection closes before a RESP array aggregate completes, pooled direct-memory buffers are permanently leaked because the handler defines no channelInactive, handlerRemoved, or exceptionCaught cleanup. Taken together, the three Redis bugs give an attacker three distinct vectors — malformed terminators, nested structures, and incomplete aggregates — to starve a Netty server of memory.

Two additional CVEs involve memory leaks in other protocol handlers. CVE-2026-48059 (high) affects the HAProxy PROXY protocol v2 codec: a client can send a syntactically valid header containing nested PP2_TYPE_SSL TLVs at depth two or greater, causing a native or heap memory leak on every connection — and critically, the leak occurs on the successful parse path, with no exception thrown. CVE-2026-48043 (high) targets HTTP/2 decompression via the DelegatingDecompressorFrameListener class, which orchestrates per-stream decompression (gzip, deflate, zstd) through an embedded EmbeddedChannel. Each decompressed chunk is a pooled ByteBuf that, under certain conditions, is never released, leading to progressive memory exhaustion.

The sole non-memory-exhaustion CVE in the batch is CVE-2026-44249 (CVSS 8.1), an IPv6 subnet filter bypass in netty-handler. An incorrect masking operation in IpSubnetFilterRule.compareTo() allows valid public IP addresses to bypass the intended restriction — meaning an administrator who configures an IPv6 subnet allowlist may find that addresses outside the subnet are incorrectly permitted. While not a DoS bug, its higher CVSS score reflects the potential for access-control bypass in environments that rely on Netty's IP filtering for network segmentation.

All six vulnerabilities are fixed in Netty versions 4.1.135.Final and 4.2.15.Final. Users running earlier releases should upgrade immediately; no workarounds are documented for the Redis or HAProxy codec issues, making the patch the only reliable mitigation. The fixes were coordinated by the Netty project maintainers and published simultaneously across the affected modules.

This June 11 batch follows closely on the heels of a larger disclosure of 12 Netty CVEs on June 8, 2026, which included additional DoS issues and critical DNS cache-poisoning flaws Vypr Intelligence. The rapid succession of advisories underscores that Netty's codec and protocol-handler layers are undergoing sustained security review. For teams operating Netty-based gateways, load balancers, or Redis proxies, the pattern is clear: memory accounting in stateful protocol parsers remains a recurring weak spot, and the project's accelerated patch cadence demands equally fast adoption.