CVE-2026-44893
Undergoing Analysis Undergoing Analysis - In Progress
Memory Leak in Netty HAProxy Decoder

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44893
EUVD
EUVD-2026-36432
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
netty netty to 4.2.15.Final (exc)
netty netty to 4.1.135.Final (exc)
netty netty 4.2.15.Final
netty netty 4.1.135.Final
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-44893 affects the Netty library's HAProxy SSL TLV parsing mechanism. When decoding a PP2_TYPE_SSL TLV, the function HAProxyMessage.readNextTLV() creates a retained slice of the buffer based on the specified length. If an attacker sets the TLV length below 5 bytes, subsequent read operations throw an IndexOutOfBoundsException. Because the decoder only catches specific exceptions, this exception propagates and causes the retained slice on the pooled cumulation buffer to never be released, leading to a memory leak.

Impact Analysis

This vulnerability can impact you by causing a memory leak in applications using affected versions of the Netty library. The memory leak occurs because the retained slice on the pooled cumulation buffer is never released when the exception is thrown. Over time, this can degrade application performance or cause it to crash due to resource exhaustion, impacting availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Netty library to a patched version. Specifically, update to version 4.2.15.Final or later, or 4.1.135.Final or later, where the issue has been fixed.

These versions address the problem by properly handling the TLV length and preventing the IndexOutOfBoundsException and associated memory leak.

Compliance Impact

The vulnerability CVE-2026-44893 causes a memory leak due to an unreleased buffer slice when processing malformed HAProxy SSL TLV data, potentially leading to denial of service by impacting availability.

While the CVE description and resources highlight the impact on system availability, there is no direct information on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability affects specific versions of the Netty library's HAProxy SSL TLV parsing mechanism, particularly versions 4.2.0.Final to 4.2.14.Final and 4.1.134.Final or earlier. Detection involves identifying if these vulnerable versions of Netty are in use on your systems.

To detect the vulnerability on your system, you should check the version of the Netty library deployed in your applications or services. This can often be done by inspecting dependency manifests or using package management tools.

  • For Java applications using Maven, run: mvn dependency:tree | grep netty
  • For Gradle projects, run: ./gradlew dependencies | grep netty
  • If you have access to the deployed JAR files, you can check the version by inspecting the JAR manifest or file names, e.g., using: unzip -p netty-codec-haproxy-*.jar META-INF/MANIFEST.MF | grep Implementation-Version

Network detection of exploitation attempts may be difficult because the issue arises from malformed PP2_TYPE_SSL TLVs with length below 5 bytes causing an exception. Monitoring application logs for IndexOutOfBoundsException or memory leaks related to HAProxyMessageDecoder could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart