CVE-2026-45416
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final,
CVSS
7.5
High
EPSS
0.5%
p37
KEV
—
Exploit Today
11
0-100
Published: Jun 12, 2026 · Last modified: Jul 15, 2026 · CWE-770
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
- github.comhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- github.comhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final
- github.comhttps://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26017
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26018
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26586
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28573
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34608
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37390
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-45416
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2488391
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45416.json