Source: netty Version: 1:4.1.48-16 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for netty. CVE-2026-44248[0]: | Netty is an asynchronous, event-driven network application | framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 | header Properties section is parsed and buffered before any message | size limit is applied. Specifically, in MqttDecoder, the | decodeVariableHeader() method is called before the | bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The | decodeVariableHeader() can call other methods which will call | decodeProperties(). Effectively, Netty does not apply any limits to | the size of the properties being decoded. Additionally, because | MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse | the enormous Properties sections and buffer the bytes in memory, | until the entire thing parses to completion. This can cause high | resource usage in both CPU and memory. This vulnerability is fixed | in 4.2.13.Final and 4.1.133.Final. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44248 https://www.cve.org/CVERecord?id=CVE-2026-44248 [1] https://github.com/netty/netty/security/advisories/GHSA-jfg9-48mv-9qgx Please adjust the affected versions in the BTS as needed. Regards, Salvatore
