Buffer Allocation Issue in Netty Framework Affecting Multiple Versions
CVE-2026-42583

7.5HIGH

Key Information:

Vendor: Netty
Status: Netty; Netty-codec; Netty-codec-compression
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42583?

A potential buffer allocation issue exists in the Netty framework versions prior to 4.2.13.Final and 4.1.133.Final. The Lz4FrameDecoder can allocate a ByteBuf of significant size (up to 32 MB) before the LZ4 decompression occurs. This can be exploited by a peer, requiring only a small header and compressed payload to trigger this undesired allocation, potentially leading to resource exhaustion. Upgrading to newer versions is essential to mitigate this risk.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

netty-codec < 4.1.133.Final

References

https://github.com/netty/netty/security/advisories/GHSA-m...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42583 Data

JSON