Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
CVE-2026-44249

8.1HIGH

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 11 June 2026

🔔 Create Netty Vulnerability Alert

What is CVE-2026-44249?

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

https://github.com/netty/netty/security/advisories/GHSA-3...

x_refsource_CONFIRM

https://github.com/netty/netty/releases/tag/netty-4.1.135...

x_refsource_MISC

https://github.com/netty/netty/releases/tag/netty-4.2.15....

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44249 Data

.