CVE-2026-48059
Undergoing Analysis Undergoing Analysis - In Progress
Memory Leak in Netty HAProxy PROXY Protocol v2 Codec

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path β€” no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-48059
EUVD
EUVD-2026-36457
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.1.135.Final (exc)
netty netty From 4.2.0.Final (inc) to 4.2.15.Final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the HAProxy PROXY protocol v2 codec of Netty versions prior to 4.1.135.Final and 4.2.15.Final. When a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs at depth two or greater, the codec leaks native or heap memory on every connection.

The leak happens during successful parsing without throwing any exceptions. The message is processed normally, and the decoder removes itself as expected. However, the underlying cumulation buffer, which is a pooled ByteBuf allocated by the channel, remains permanently pinned, causing memory to be retained and not released.

This issue is caused by unbalanced reference counting in the nested PP2_TYPE_SSL TLV parsing, leading to memory exhaustion over time.

Impact Analysis

This vulnerability can lead to memory exhaustion on the affected system because the codec leaks native or heap memory on every connection with nested SSL TLVs.

Over time, this persistent memory leak can degrade system performance, cause application instability, or even lead to crashes due to resource depletion.

Detection Guidance

This vulnerability involves memory leaks triggered by clients sending syntactically valid HAProxy PROXY protocol v2 headers containing nested PP2_TYPE_SSL TLVs at depth two or greater.

Detection would involve monitoring for abnormal memory usage or exhaustion in Netty-based applications using affected versions (4.2.0.Final to 4.2.14.Final and 4.1.134.Final or earlier).

Since the leak occurs without exceptions and the message is processed normally, direct detection via network commands is challenging.

Commands to monitor memory usage on the system could include:

  • Linux: `top`, `htop`, or `ps aux --sort=-rss` to identify processes with increasing memory consumption.
  • Use Java-specific tools like `jcmd <pid> GC.heap_info` or `jmap -heap <pid>` to inspect heap memory usage of the Netty application.
  • Network traffic capture tools like `tcpdump` or `wireshark` can be used to capture and analyze HAProxy PROXY protocol v2 headers for nested PP2_TYPE_SSL TLVs, but this requires protocol-specific parsing.
Mitigation Strategies

The primary mitigation is to upgrade Netty to a patched version where the vulnerability is fixed.

  • Upgrade to Netty version 4.1.135.Final or later.
  • Upgrade to Netty version 4.2.15.Final or later.

Until the upgrade can be applied, consider monitoring memory usage closely and limiting or filtering incoming connections that send HAProxy PROXY protocol v2 headers with nested PP2_TYPE_SSL TLVs if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart