{"api_version":"1","generated_at":"2026-06-24T22:49:05+00:00","cve":"CVE-2026-44249","urls":{"html":"https://cve.report/CVE-2026-44249","api":"https://cve.report/api/cve/CVE-2026-44249.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-44249","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-44249"},"summary":{"title":"Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking","description":"Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-11 22:16:56","updated_at":"2026-06-15 02:30:46"},"problem_types":["CWE-284","CWE-697","CWE-284 CWE-284: Improper Access Control","CWE-697 CWE-697: Incorrect Comparison"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","name":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86","name":"https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","name":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-44249","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44249","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"netty","product":"netty","version":"affected >= 4.2.0.Final, < 4.2.15.Final","platforms":[]},{"source":"CNA","vendor":"netty","product":"netty","version":"affected < 4.1.135.Final","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"44249","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netty","cpe5":"netty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"44249","cve":"CVE-2026-44249","epss":"0.005120000","percentile":"0.395250000","score_date":"2026-06-19","updated_at":"2026-06-20 00:07:22"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-44249","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-12T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-13T03:55:45.263Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"netty","vendor":"netty","versions":[{"status":"affected","version":">= 4.2.0.Final, < 4.2.15.Final"},{"status":"affected","version":"< 4.1.135.Final"}]}],"descriptions":[{"lang":"en","value":"Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284: Improper Access Control","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-697","description":"CWE-697: Incorrect Comparison","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-11T20:46:14.110Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86","tags":["x_refsource_CONFIRM"],"url":"https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86"},{"name":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","tags":["x_refsource_MISC"],"url":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"},{"name":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","tags":["x_refsource_MISC"],"url":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}],"source":{"advisory":"GHSA-3qp7-7mw8-wx86","discovery":"UNKNOWN"},"title":"Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-44249","datePublished":"2026-06-11T20:46:14.110Z","dateReserved":"2026-05-05T16:33:55.844Z","dateUpdated":"2026-06-13T03:55:45.263Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-11 22:16:56","lastModifiedDate":"2026-06-15 02:30:46","problem_types":["CWE-284","CWE-697","CWE-284 CWE-284: Improper Access Control","CWE-697 CWE-697: Incorrect Comparison"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","versionEndExcluding":"4.1.135","matchCriteriaId":"3097D962-A32D-4467-AAE7-F4CBA3A349D2"},{"vulnerable":true,"criteria":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.15","matchCriteriaId":"413D4611-A46C-4BE4-AB2F-D86282F65984"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"44249","Ordinal":"1","Title":"Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator ","CVE":"CVE-2026-44249","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"44249","Ordinal":"1","NoteData":"Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.","Type":"Description","Title":"Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator "}]}}}