Network Protocol Framework Vulnerability in Netty by Tashi
CVE-2026-45416

7.5HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-45416?

The vulnerability in Netty's SslClientHelloHandler allows for excessive memory allocation due to insufficient validation of the TLS handshake length. When ClientHello requests exceed the expected size, large unpooled memory allocations occur, which can lead to excessive resource consumption and denial of service. This occurs particularly when using default SniHandler constructors that effectively disable critical length guards. Versions 4.1.135.Final and 4.2.15.Final provide patches addressing this issue.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.