CVE-2026-46340
Undergoing Analysis Undergoing Analysis - In Progress
Memory Exhaustion in Netty SCTP Transport

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-46340
EUVD
EUVD-2026-36451
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty 4.1.134.Final
netty netty to 4.2.14.Final (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46340 is a vulnerability in the Netty library's SCTP (Stream Control Transmission Protocol) reassembly mechanism. When handling incomplete SCTP message fragments, the handler creates a new CompositeByteBuf that wraps the previous buffer and the new fragment, forming a chain of nested buffers.

This chain can grow indefinitely because there is no limit on the number of fragments, total bytes, or stream identifiers. An attacker can exploit this by sending many small 1-byte DATA chunks without setting the complete flag, causing the buffer structure to grow without bound.

The recursive nature of operations like readableBytes() or getBytes() on this deeply nested buffer leads to excessive memory consumption and potential denial-of-service (DoS) conditions.

Impact Analysis

This vulnerability can impact you by causing excessive memory consumption on systems using affected versions of the Netty library. An attacker can exploit it remotely without any privileges or user interaction.

The unbounded growth of nested buffers can lead to denial-of-service (DoS) conditions, making the affected application or service unavailable.

Detection Guidance

This vulnerability involves the Netty SCTP handler creating an unbounded chain of CompositeByteBuf objects when processing incomplete SCTP message fragments. Detection involves monitoring for abnormal memory usage patterns or unusually deep buffer chains in applications using affected Netty versions.

Since the vulnerability is triggered by SCTP message fragments that never set the complete flag and consist of many small 1-byte DATA chunks, network monitoring tools can be used to detect suspicious SCTP traffic with many incomplete fragments.

Specific commands or tools are not provided in the available resources. However, general approaches include:

  • Using packet capture tools like tcpdump or Wireshark to filter SCTP traffic and analyze fragment completeness.
  • Monitoring application logs or metrics for excessive memory consumption or stack traces related to CompositeByteBuf usage.
  • Using Java profiling tools (e.g., jvisualvm, jconsole) to observe memory usage patterns in applications using Netty SCTP.
Mitigation Strategies

The primary mitigation is to upgrade Netty to a patched version where this vulnerability is fixed.

  • Upgrade to Netty version 4.1.135.Final or later if using the 4.1.x branch.
  • Upgrade to Netty version 4.2.15.Final or later if using the 4.2.x branch.

These versions include patches that limit the unbounded growth of CompositeByteBuf chains when handling SCTP fragments.

Additionally, consider monitoring SCTP traffic for suspicious patterns and applying network-level protections to limit potential exploitation until the upgrade can be performed.

Compliance Impact

The vulnerability in Netty's SCTP reassembly mechanism can lead to denial-of-service (DoS) conditions by causing excessive memory consumption and resource exhaustion. Such availability impacts could indirectly affect compliance with standards like GDPR or HIPAA, which require ensuring system availability and resilience against attacks. However, there is no direct mention in the provided information about specific compliance implications or data protection failures related to this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart