Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS
Summary
| CVE | CVE-2026-42587 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-13 19:17:24 UTC |
| Updated | 2026-07-03 13:17:13 UTC |
| Description | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.000180000 probability, percentile 0.048440000 (date 2026-05-25)
Problem Types: CWE-400 | CWE-770 | CWE-400 CWE-400: Uncontrolled Resource Consumption | CWE-770 Allocation of Resources Without Limits or Throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Netty | Netty | affected >= 4.2.0.Alpha1, < 4.2.13.Final | Not specified |
| CNA | Netty | Netty | affected < 4.1.133.Final | Not specified |
| CNA | Io.netty | Netty-codec-http | affected >= 4.2.0.Alpha1, < 4.2.13.Final | Not specified |
| CNA | Io.netty | Netty-codec-http | affected < 4.1.133.Final | Not specified |
| CNA | Io.netty | Netty-codec-http2 | affected >= 4.2.0.Alpha1, < 4.2.13.Final | Not specified |
| CNA | Io.netty | Netty-codec-http2 | affected < 4.1.133.Final | Not specified |
| ADP | Red Hat | Cryostat 4 On RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.27.4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.33.2 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 2.9.4 | Not specified | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Clients | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel For Spring Boot 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Debezium 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of OptaPlanner 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Red Hat Process Automation 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 2 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4 For Quarkus 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:23808 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42587.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25123 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Mitigation, Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-42587 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:28010 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24502 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-13T19:01:35.415Z | Reported to Red Hat. |
| ADP | 2026-05-13T18:22:21.699Z | Made public. |
Solutions
ADP: RHSA-2026:28010: Cryostat 4 on RHEL 9
ADP: RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28
ADP: RHSA-2026:23808: Red Hat build of Quarkus 3.27.4
ADP: RHSA-2026:24502: Red Hat build of Quarkus 3.33.2
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.