Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
Summary
| CVE | CVE-2026-48059 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-12 16:16:30 UTC |
| Updated | 2026-07-03 13:17:24 UTC |
| Description | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.006090000 probability, percentile 0.444370000 (date 2026-06-20)
Problem Types: CWE-401 | CWE-1286 | CWE-401 CWE-401: Missing Release of Memory after Effective Lifetime | CWE-1286 Improper Validation of Syntactic Correctness of Input
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Netty | Netty | affected >= 4.2.0.Final, < 4.2.15.Final | Not specified |
| CNA | Netty | Netty | affected < 4.1.135.Final | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 3.33 For Quarkus 3.33.2.SP1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.27.4.SP1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.33.2.SP1 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 2.9.4 | Not specified | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel - HawtIO 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4 For Quarkus 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel For Spring Boot 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Debezium 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48059.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26018 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26017 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/releases/tag/netty-4.1.135.Final | [email protected] | github.com | Release Notes |
| access.redhat.com/security/cve/CVE-2026-48059 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26586 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j | [email protected] | github.com | Vendor Advisory |
| github.com/netty/netty/releases/tag/netty-4.2.15.Final | [email protected] | github.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-12T16:02:40.032Z | Reported to Red Hat. |
| ADP | 2026-06-12T14:42:44.677Z | Made public. |
Solutions
ADP: RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1
ADP: RHSA-2026:26018: Red Hat build of Quarkus 3.27.4.SP1
ADP: RHSA-2026:26017: Red Hat build of Quarkus 3.33.2.SP1
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.