Network Protocol Framework Vulnerability in Netty by Tashi
CVE-2026-45416
7.5HIGH
What is CVE-2026-45416?
The vulnerability in Netty's SslClientHelloHandler allows for excessive memory allocation due to insufficient validation of the TLS handshake length. When ClientHello requests exceed the expected size, large unpooled memory allocations occur, which can lead to excessive resource consumption and denial of service. This occurs particularly when using default SniHandler constructors that effectively disable critical length guards. Versions 4.1.135.Final and 4.2.15.Final provide patches addressing this issue.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
