CVE-2026-45416
Undergoing Analysis Undergoing Analysis - In Progress
Heap Overflow in Netty Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-45416
EUVD
EUVD-2026-36436
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.2.15.final (exc)
netty netty to 4.1.135.final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-45416 vulnerability in Netty's SNI handler involves a flaw in the SslClientHelloHandler.decode() method, which reads a 24-bit TLS handshake length and pre-allocates a buffer based on this length.

When certain constructors are used (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()), a guard condition that limits the handshake length is disabled, allowing an attacker to send a ClientHello message with a very large handshake length.

This causes an immediate large memory allocation (up to 16 MiB) that is retained until the channel closes, potentially leading to resource exhaustion.

Impact Analysis

This vulnerability can lead to high availability loss due to resource exhaustion caused by large memory allocations.

An attacker can exploit this flaw by sending a specially crafted ClientHello message that triggers the allocation of a large buffer, which remains in memory until the connection closes.

This can degrade system performance or cause denial of service by exhausting memory resources.

Mitigation Strategies

To mitigate the CVE-2026-45416 vulnerability in Netty, you should upgrade your Netty version to at least 4.1.135.Final or 4.2.15.Final, where the issue has been patched.

These patched versions fix the flaw in the SslClientHelloHandler.decode() method that allowed large memory allocations due to disabled handshake length guards.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-45416 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the SslClientHelloHandler.decode() method in Netty pre-allocating a large buffer when processing a TLS ClientHello message with an unusually large handshake length. Detection involves monitoring for unusually large TLS ClientHello messages or abnormal memory allocations related to TLS handshake processing.

To detect this on your network or system, you can capture and analyze TLS ClientHello messages to identify unusually large handshake lengths that exceed typical sizes.

Suggested commands include using packet capture tools like tcpdump or Wireshark to filter and inspect TLS ClientHello messages:

  • tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 443'
  • Then analyze the capture with Wireshark, filtering for 'ssl.handshake.type == 1' (ClientHello) and checking the handshake length field for unusually large values.

Additionally, monitoring application logs or metrics for sudden spikes in memory usage or resource exhaustion related to Netty processes may help identify exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart