Synopsis
The remote SUSE host is missing one or more security updates.
Description
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2802-1 advisory.
This update for netty, netty-tcnative fixes the following issue
This update for netty, netty-tcnative fixes the following issues
Upgrade netty to upstream version 4.1.135, netty-tcnative to upstream version 2.0.79:
- CVE-2026-44249: IPv6 Subnet Filter Bypass via Incorrect Comparator Masking (bsc#1268165).
- CVE-2026-44250: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays (bsc#1268169).
- CVE-2026-44890: Unbounded Direct Memory Consumption in RedisDecoder (bsc#1268170).
- CVE-2026-44893: netty-codec-haproxy: Denial of Service via malformed HAProxy message (bsc#1268244).
- CVE-2026-45416: SNI handler pre-allocates up to 16 MiB from nine attacker bytes (bsc#1268246).
- CVE-2026-45536: Unix-socket fd receive leaks descriptors when peer sends two at once (bsc#1268247).
- CVE-2026-45673: netty-resolver-dns: DNS Cache Poisoning via predictable transaction IDs (bsc#1268248).
- CVE-2026-45674: DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records (bsc#1268249).
- CVE-2026-46340: netty-transport-sctp: Denial of Service due to unbounded memory growth from SctpMessage fragments (bsc#1268250).
- CVE-2026-47244: HTTP/2: Advertised MAX_CONCURRENT_STREAMS not enforced (bsc#1268251).
- CVE-2026-47691: Insufficient Bailiwick Validation for NS Records (bsc#1268252).
- CVE-2026-48006: netty-codec-redis: Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator (bsc#1268255).
- CVE-2026-48043: netty-codec-http2: Denial of Service due to resource leak (bsc#1268257).
- CVE-2026-48059: netty-codec-haproxy: Denial of Service via memory leak from crafted PROXY protocol headers (bsc#1268258).
- CVE-2026-50010: Wrapping plain trust manager silently disables hostname verification (bsc#1268259).
- CVE-2026-50011: Unbounded pre-allocation in RedisArrayAggregator from RESP array length (bsc#1268260).
- CVE-2026-50020: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted (bsc#1268261).
- CVE-2026-50560: Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature (bsc#1268262).
Changes:
- MQTT: Allow MQTT 5 CONNECT with password only + ChannelInitializer: correct misleading comment on exceptionCaught route + HTTP/2: Parse request-target path like Vert.x (4.1 backport) + HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted + IpSubnetFilter: Correctly handle ipv6 + Configurable bound on RedisArrayAggregator + Redis: Limit decoded length + DNS: Ensure query id is not predictible + Wrapping plain trust manager silently disables hostname verification + MQTT: Reject malformed no-payload packets with non-zero Remaining Length + HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory + SSL: Use sane defaults as limits for the client hello length and timeout + DNS: Only cache CNAME if part of the queried domain + HTTP/2: Enforce max concurrent streams for misbehaving clients + Dns: Insufficient Bailiwick Validation for NS Records + HTTP2: DelegatingDecompressorFrameListener must release memory in all cases + Pass maxAllocation to Brotli and Zstd decoders + HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory + Add maxWindowLog parameter to ZstdDecoder to bound memory allocation + HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs + Epoll / Kqueue: Correctly handle receive of FD + SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments + Redis: Correctly release incomplete message on removal when using RedisArrayAggregator + Redis: Limit the maximum number of nested arrays + HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake + Marshalling: Explicit document security requirements + Pin HTTP/RTSP version + method normalization to Locale.US + Adaptive: Fix concurrency issue in adaptive allocator + Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US + Remove dead native declarations + Avoid re-parsing openssl key material with non-cached provider + IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 + Resolve all localhost addresses without querying DNS servers + HTTP2: Use 100 as default max concurrent streams setting + Route synchronous onLookupComplete exceptions via fireExceptionCaught + Fix MQTT decoder size check after variable header replay
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected netty, netty-javadoc and / or netty-tcnative packages.
Plugin Details
File Name: suse_SU-2026-2802-1.nasl
Agent: unix
Supported Sensors: Nessus Agent, Continuous Assessment, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:netty, p-cpe:/a:novell:suse_linux:netty-javadoc, p-cpe:/a:novell:suse_linux:netty-tcnative, cpe:/o:novell:suse_linux:15
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 7/8/2026
Vulnerability Publication Date: 6/8/2026
Reference Information
CVE: CVE-2026-44249, CVE-2026-44250, CVE-2026-44890, CVE-2026-44893, CVE-2026-45416, CVE-2026-45536, CVE-2026-45673, CVE-2026-45674, CVE-2026-46340, CVE-2026-47244, CVE-2026-47691, CVE-2026-48006, CVE-2026-48043, CVE-2026-48059, CVE-2026-50010, CVE-2026-50011, CVE-2026-50020, CVE-2026-50560
SuSE: SUSE-SU-2026:2802-1