VYPR
Vendor

Netty

Products
3
CVEs
64
Across products
64
Status
Private

Products

3

Recent CVEs

64
View all 64 CVEs →
  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2026-47691HigJun 12, 2026
    risk 0.57cvss 8.7epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an…

  • CVE-2026-45674HigJun 12, 2026
    risk 0.57cvss 8.7epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and…

  • CVE-2026-44249HigJun 11, 2026
    risk 0.53cvss 8.1epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid…

  • CVE-2026-48040CriJun 4, 2026
    risk 0.52cvss 9.1epss 0.00

    The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback…

  • CVE-2016-4970HigApr 13, 2017
    risk 0.50cvss 7.5epss 0.11

    handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

  • CVE-2026-50011HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That…

  • CVE-2026-50010HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in…

  • CVE-2026-48748HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version…

  • CVE-2026-48059HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid…

  • CVE-2026-48006HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array…

  • CVE-2026-46340HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId,…

  • CVE-2026-45416HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly…

  • CVE-2026-44894HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable),…

  • CVE-2026-44893HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex()…

  • CVE-2026-44892HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not…

  • CVE-2026-44890HigJun 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts…

  • CVE-2026-44250HigJun 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to…

  • CVE-2026-42587HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced…

  • CVE-2026-42583HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload…