Memory Management Issues in Netty Framework Affecting Multiple Encoding Types
CVE-2026-42587

7.5HIGH

Key Information:

Vendor: Netty
Status: Netty; Netty-codec-http; Netty-codec-http2
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42587?

Netty, an event-driven network application framework, has a vulnerability related to the handling of the maxAllocation parameter in its HttpContentDecompressor component. The configured limits for decompression buffers can be ignored for certain compression types (Brotli, zstd, snappy). This oversight allows attackers to exploit the system by sending specially crafted compressed data, leading to unbounded memory allocation. This can result in denial of service through out-of-memory errors, impacting application availability. The issue has been addressed in versions 4.2.13.Final and 4.1.133.Final.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

netty-codec-http >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

References

https://github.com/netty/netty/security/advisories/GHSA-f...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42587 Data

JSON