CVE-2026-44249
Modified Modified - Updated After Analysis

Incorrect IPv6 Subnet Bypass in Netty

Vulnerability report for CVE-2026-44249, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-30
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.1.135 (exc)
netty netty From 4.2.0 (inc) to 4.2.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to bypass IPv6 subnet filtering rules, leading to unauthorized access that can impact confidentiality, integrity, and availability of data.

Such unauthorized access could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls to protect sensitive personal and health information.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Detection Guidance

This vulnerability arises from an incorrect bitwise masking operation in the IpSubnetFilterRule.compareTo() method in affected Netty versions, allowing IPv6 addresses to bypass subnet filtering rules.

To detect if your system is vulnerable, first identify the Netty version in use. Versions 4.2.0.Final to 4.2.14.Final and 4.1.134.Final or earlier are affected, while versions 4.2.15.Final and 4.1.135.Final or later are patched.

You can check the Netty version by inspecting your application's dependencies or runtime environment. For example, if you have access to the Java application or its packaged libraries, you can run commands like:

  • Using Maven dependency tree: mvn dependency:tree | grep netty-handler
  • Using Gradle dependencies: ./gradlew dependencies | grep netty-handler
  • If the application is running, you can try to identify the Netty version by checking the manifest or jar file names in the classpath, for example: jar -xf netty-handler-*.jar META-INF/MANIFEST.MF && grep 'Implementation-Version' META-INF/MANIFEST.MF

To detect exploitation attempts on your network, monitor for unexpected IPv6 traffic that should be blocked by subnet rules but is passing through. Since the vulnerability allows bypassing IPv6 subnet filtering, you can use network monitoring tools or firewall logs to identify such anomalies.

Specific commands depend on your environment, but examples include:

  • Using tcpdump to capture IPv6 traffic: tcpdump -i <interface> ip6
  • Using firewall logs or ip6tables to check for allowed traffic outside expected subnets: sudo ip6tables -L -v -n

Review logs and traffic for IPv6 addresses that should be blocked by subnet rules but are allowed, indicating potential exploitation of this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, upgrade netty-handler to version 4.1.135.Final or 4.2.15.Final or later, as these versions contain the patch that fixes the incorrect masking operation in IpSubnetFilterRule.compareTo().

Executive Summary

This vulnerability exists in the Netty network application framework, specifically in the netty-handler component before versions 4.1.135.Final and 4.2.15.Final. It involves an incorrect masking operation in the IpSubnetFilterRule.compareTo() method, which allows an attacker to bypass IPv6 subnet rules. As a result, valid public IP addresses can circumvent the intended subnet restrictions.

Impact Analysis

The vulnerability can have a significant impact because it allows attackers to bypass IPv6 subnet filtering rules. This means unauthorized access could be gained to network resources that should have been restricted based on IP subnet rules. Given the CVSS base score of 8.1 with high impact on confidentiality, integrity, and availability, exploitation could lead to serious security breaches including data exposure, data modification, or service disruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart