Memory Management Issue in Netty Framework's Snappy Decompression
CVE-2021-37137

7.5HIGH

Key Information:

Vendor: The Netty Project
Status: Netty
Vendor: CVE Published:; 19 October 2021

🔔 Create The Netty Project Vulnerability Alert

What is CVE-2021-37137?

The Snappy frame decoder in the Netty Framework lacks proper restrictions on chunk lengths, potentially leading to excessive memory consumption. This vulnerability is triggered when manipulated input that decompresses to an unexpectedly large size is processed—either through a network stream or a file. Additionally, the decoder may buffer skippable chunks, causing substantial memory usage if large chunks are received, thus affecting the stability and reliability of the application.

Affected Version(s)

Netty < 4.1.68Final

References

https://github.com/netty/netty/security/advisories/GHSA-9...

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab...

mailing-list

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c...

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2021
Vulnerability Reserved
Jul 20, 2021