Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48059.json
https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j
https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
https://bugzilla.redhat.com/show_bug.cgi?id=2488437
https://access.redhat.com/security/cve/CVE-2026-48059
https://access.redhat.com/errata/RHSA-2026:37390
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:34608
https://access.redhat.com/errata/RHSA-2026:26586
Published: 2026-06-12
Updated: 2026-07-15
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Severity: High
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: High
Base Score: 8.7
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Severity: High
EPSS: 0.00042