CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

SUSE CVE•added 5 days ago•7 views

SUSE CVE-2026-44249

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo. Valid public IP addresses ca...

8.1CVSS5.3AI score0.00512EPSS

8.7CVSS5.5AI score0.00609EPSS

UBUNTU-CVE-2026-48059

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nest...

OSV•added 6 days ago•3 views

UBUNTU-CVE-2026-50009

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the...

4.8CVSS5.4AI score0.00204EPSS

Exploits0References4

8.7CVSS5.3AI score0.00609EPSS

UBUNTU-CVE-2026-48006

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate...

OSV•added 6 days ago•3 views

UBUNTU-CVE-2026-50010

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends...

7.5CVSS5.3AI score0.00196EPSS

7.5CVSS5.5AI score0.00609EPSS

UBUNTU-CVE-2026-46340

Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does fragments.putstreamId, Unpooled.wrappedBufferfrag, byteBuf, wrapping t...

CVE•added 6 days ago•56 views

CVE-2026-50010

Netty CVE-2026-50010 affects 4.1.135.Final and 4.2.15.Final. When using SimpleTrustManagerFactory.engineGetTrustManagers(), a user-supplied plain X509TrustManager is wrapped in X509TrustManagerWrapper. This wrapper makes the trust manager appear as X509ExtendedTrustManager but implements checkSer...

7.5CVSS5.3AI score0.00196EPSS

Exploits0References3Affected Software1

CVE•added 6 days ago•33 views

CVE-2026-47244

Netty HTTP/2 CVE-2026-47244 affects Netty 4.1.135.Final and 4.2.15.Final. Before patch, DefaultHttp2Connection.DefaultEndpoint initializes maxActiveStreams/maxStreams to Integer.MAX_VALUE and Http2Settings does not insert SETTINGS_MAX_CONCURRENT_STREAMS by default, so a Netty HTTP/2 server can ad...

5.3CVSS5.2AI score0.00507EPSS

Exploits0References3Affected Software1

CVE•added 6 days ago•20 views

CVE-2026-45536

CVE-2026-45536 affects Netty, specifically Unix-domain socket fd reception in netty_unix_socket_recvFd. Prior to versions 4.1.135.Final and 4.2.15.Final, a peer-sent SCM_RIGHTS message containing two fds can cause both descriptors to leak due to a mismatch between cmsg_len checks and the actual f...

4CVSS5.2AI score0.00193EPSS

Exploits0References3Affected Software1

Cvelist•added 6 days ago•24 views

CVE-2026-44894 Netty's Default QUIC token handler accepts any client-supplied token

Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken returns false server will not send Retry — acceptable, but validateToken...

7.5CVSS0.00232EPSS

Exploits0References2

7.5CVSS5.3AI score0.00488EPSS

UBUNTU-CVE-2026-44892

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the Http3ConnectionHandler in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify...

Exploits0References4

Positive Technologies•added 6 days ago•9 views

PT-2026-48901

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.15.Final Description Netty QUIC exposes the stateless reset token on the network path when utilizing the default HMAC-based connection-ID and stateless-reset-token generators. Specifically, the...

4.8CVSS5.3AI score0.00204EPSS

NVD•added last week•9 views

CVE-2026-44890

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct...

7.5CVSS0.00609EPSS

NVD•added last week•9 views

CVE-2026-44250

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive...

7.5CVSS0.00609EPSS

OSV•added last week•3 views

UBUNTU-CVE-2026-44890

7.5CVSS5.3AI score0.00609EPSS

Cvelist•added last week•23 views

CVE-2026-44250 Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive...

7.5CVSS0.00609EPSS