SUSE SLED15 / SLES15 Security Update : netty, netty-tcnative (SUSE-SU-2026:2802-1)

high Nessus Plugin ID 326003

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2802-1 advisory.

This update for netty, netty-tcnative fixes the following issue

This update for netty, netty-tcnative fixes the following issues

Upgrade netty to upstream version 4.1.135, netty-tcnative to upstream version 2.0.79:

- CVE-2026-44249: IPv6 Subnet Filter Bypass via Incorrect Comparator Masking (bsc#1268165).
- CVE-2026-44250: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays (bsc#1268169).
- CVE-2026-44890: Unbounded Direct Memory Consumption in RedisDecoder (bsc#1268170).
- CVE-2026-44893: netty-codec-haproxy: Denial of Service via malformed HAProxy message (bsc#1268244).
- CVE-2026-45416: SNI handler pre-allocates up to 16 MiB from nine attacker bytes (bsc#1268246).
- CVE-2026-45536: Unix-socket fd receive leaks descriptors when peer sends two at once (bsc#1268247).
- CVE-2026-45673: netty-resolver-dns: DNS Cache Poisoning via predictable transaction IDs (bsc#1268248).
- CVE-2026-45674: DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records (bsc#1268249).
- CVE-2026-46340: netty-transport-sctp: Denial of Service due to unbounded memory growth from SctpMessage fragments (bsc#1268250).
- CVE-2026-47244: HTTP/2: Advertised MAX_CONCURRENT_STREAMS not enforced (bsc#1268251).
- CVE-2026-47691: Insufficient Bailiwick Validation for NS Records (bsc#1268252).
- CVE-2026-48006: netty-codec-redis: Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator (bsc#1268255).
- CVE-2026-48043: netty-codec-http2: Denial of Service due to resource leak (bsc#1268257).
- CVE-2026-48059: netty-codec-haproxy: Denial of Service via memory leak from crafted PROXY protocol headers (bsc#1268258).
- CVE-2026-50010: Wrapping plain trust manager silently disables hostname verification (bsc#1268259).
- CVE-2026-50011: Unbounded pre-allocation in RedisArrayAggregator from RESP array length (bsc#1268260).
- CVE-2026-50020: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted (bsc#1268261).
- CVE-2026-50560: Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature (bsc#1268262).

Changes:

- MQTT: Allow MQTT 5 CONNECT with password only + ChannelInitializer: correct misleading comment on exceptionCaught route + HTTP/2: Parse request-target path like Vert.x (4.1 backport) + HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted + IpSubnetFilter: Correctly handle ipv6 + Configurable bound on RedisArrayAggregator + Redis: Limit decoded length + DNS: Ensure query id is not predictible + Wrapping plain trust manager silently disables hostname verification + MQTT: Reject malformed no-payload packets with non-zero Remaining Length + HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory + SSL: Use sane defaults as limits for the client hello length and timeout + DNS: Only cache CNAME if part of the queried domain + HTTP/2: Enforce max concurrent streams for misbehaving clients + Dns: Insufficient Bailiwick Validation for NS Records + HTTP2: DelegatingDecompressorFrameListener must release memory in all cases + Pass maxAllocation to Brotli and Zstd decoders + HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory + Add maxWindowLog parameter to ZstdDecoder to bound memory allocation + HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs + Epoll / Kqueue: Correctly handle receive of FD + SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments + Redis: Correctly release incomplete message on removal when using RedisArrayAggregator + Redis: Limit the maximum number of nested arrays + HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake + Marshalling: Explicit document security requirements + Pin HTTP/RTSP version + method normalization to Locale.US + Adaptive: Fix concurrency issue in adaptive allocator + Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US + Remove dead native declarations + Avoid re-parsing openssl key material with non-cached provider + IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 + Resolve all localhost addresses without querying DNS servers + HTTP2: Use 100 as default max concurrent streams setting + Route synchronous onLookupComplete exceptions via fireExceptionCaught + Fix MQTT decoder size check after variable header replay

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected netty, netty-javadoc and / or netty-tcnative packages.

See Also

https://bugzilla.suse.com/1268165

https://bugzilla.suse.com/1268169

https://bugzilla.suse.com/1268170

https://bugzilla.suse.com/1268244

https://bugzilla.suse.com/1268246

https://bugzilla.suse.com/1268247

https://bugzilla.suse.com/1268248

https://bugzilla.suse.com/1268249

https://bugzilla.suse.com/1268250

https://bugzilla.suse.com/1268251

https://bugzilla.suse.com/1268252

https://bugzilla.suse.com/1268255

https://bugzilla.suse.com/1268257

https://bugzilla.suse.com/1268258

https://bugzilla.suse.com/1268259

https://bugzilla.suse.com/1268260

https://bugzilla.suse.com/1268261

https://bugzilla.suse.com/1268262

https://lists.suse.com/pipermail/sle-updates/2026-July/048051.html

https://www.suse.com/security/cve/CVE-2026-44249

https://www.suse.com/security/cve/CVE-2026-44250

https://www.suse.com/security/cve/CVE-2026-44890

https://www.suse.com/security/cve/CVE-2026-44893

https://www.suse.com/security/cve/CVE-2026-45416

https://www.suse.com/security/cve/CVE-2026-45536

https://www.suse.com/security/cve/CVE-2026-45673

https://www.suse.com/security/cve/CVE-2026-45674

https://www.suse.com/security/cve/CVE-2026-46340

https://www.suse.com/security/cve/CVE-2026-47244

https://www.suse.com/security/cve/CVE-2026-47691

https://www.suse.com/security/cve/CVE-2026-48006

https://www.suse.com/security/cve/CVE-2026-48043

https://www.suse.com/security/cve/CVE-2026-48059

https://www.suse.com/security/cve/CVE-2026-50010

https://www.suse.com/security/cve/CVE-2026-50011

https://www.suse.com/security/cve/CVE-2026-50020

https://www.suse.com/security/cve/CVE-2026-50560

Plugin Details

Severity: High

ID: 326003

File Name: suse_SU-2026-2802-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/9/2026

Updated: 7/9/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.16

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2026-47691

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-48059

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:netty, p-cpe:/a:novell:suse_linux:netty-javadoc, p-cpe:/a:novell:suse_linux:netty-tcnative, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/8/2026

Vulnerability Publication Date: 6/8/2026

Reference Information

CVE: CVE-2026-44249, CVE-2026-44250, CVE-2026-44890, CVE-2026-44893, CVE-2026-45416, CVE-2026-45536, CVE-2026-45673, CVE-2026-45674, CVE-2026-46340, CVE-2026-47244, CVE-2026-47691, CVE-2026-48006, CVE-2026-48043, CVE-2026-48059, CVE-2026-50010, CVE-2026-50011, CVE-2026-50020, CVE-2026-50560

SuSE: SUSE-SU-2026:2802-1