Memory Leak Vulnerability in Netty Framework Affects HAProxy Protocol
CVE-2026-48059
8.7HIGH
What is CVE-2026-48059?
The Netty framework, utilized for creating network applications, has a vulnerability pertaining to its handling of the HAProxy PROXY protocol v2 codec. Specifically, when clients send nested PP2_TYPE_SSL TLVs in syntactically valid headers at a depth of two or more, a memory leak occurs on successful parsing. This leak manifests as native or heap memory retention, as the underlying cumulation buffer remains pinned despite the proper release of the HAProxyMessage. The issue has been rectified in versions 4.1.135.Final and 4.2.15.Final.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
