Memory Leak Vulnerability in Netty Framework Affects HAProxy Protocol
CVE-2026-48059

8.7HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-48059?

The Netty framework, utilized for creating network applications, has a vulnerability pertaining to its handling of the HAProxy PROXY protocol v2 codec. Specifically, when clients send nested PP2_TYPE_SSL TLVs in syntactically valid headers at a depth of two or more, a memory leak occurs on successful parsing. This leak manifests as native or heap memory retention, as the underlying cumulation buffer remains pinned despite the proper release of the HAProxyMessage. The issue has been rectified in versions 4.1.135.Final and 4.2.15.Final.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.