Network Application Framework Vulnerability in HAProxy by Netty
CVE-2026-44893

7.5HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44893?

A vulnerability exists in Netty's HAProxyMessage decoding process when dealing with the PP2_TYPE_SSL TLV type. The issue arises as HAProxyMessage.readNextTLV() improperly processes the TLV length, allowing an attacker to manipulate it below the minimum expected length. This results in an IndexOutOfBoundsException being thrown when reading client and verify fields without proper bounds checks. Consequently, the error is not adequately caught, leading to potential memory retention on the pooled cumulation buffer, which may increase the risk of denial of service or memory leaks if exploited. This vulnerability is addressed in versions 4.1.135.Final and 4.2.15.Final.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.