CVE-2026-44249
Received Received - Intake
Incorrect IPv6 Subnet Bypass in Netty

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44249
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netty netty_handler to 4.2.15.Final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Netty network application framework, specifically in the netty-handler component before versions 4.1.135.Final and 4.2.15.Final. It involves an incorrect masking operation in the IpSubnetFilterRule.compareTo() method, which allows an attacker to bypass IPv6 subnet rules. As a result, valid public IP addresses can circumvent the intended subnet restrictions.

Impact Analysis

The vulnerability can have a significant impact because it allows attackers to bypass IPv6 subnet filtering rules. This means unauthorized access could be gained to network resources that should have been restricted based on IP subnet rules. Given the CVSS base score of 8.1 with high impact on confidentiality, integrity, and availability, exploitation could lead to serious security breaches including data exposure, data modification, or service disruption.

Mitigation Strategies

To mitigate this vulnerability, upgrade netty-handler to version 4.1.135.Final or 4.2.15.Final or later, as these versions contain the patch that fixes the incorrect masking operation in IpSubnetFilterRule.compareTo().

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart