Memory Management Issue in Netty Framework's Snappy Decompression
CVE-2021-37137

7.5HIGH

Key Information:

Vendor
The Netty Project
Status
Netty
Vendor
CVE Published:
19 October 2021

Summary

The Snappy frame decoder in the Netty Framework lacks proper restrictions on chunk lengths, potentially leading to excessive memory consumption. This vulnerability is triggered when manipulated input that decompresses to an unexpectedly large size is processed—either through a network stream or a file. Additionally, the decoder may buffer skippable chunks, causing substantial memory usage if large chunks are received, thus affecting the stability and reliability of the application.

Affected Version(s)

Netty < 4.1.68Final

References

https://github.com/netty/netty/security/advisories/GHSA-9...
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab...
mailing-list
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c...
mailing-list

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-37137 : Memory Management Issue in Netty Framework's Snappy Decompression | SecurityVulnerability.io