CVE-2026-44967 opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters traces/metrics/logs read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

EUVD-2026-36466

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters traces/metrics/logs read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

CVE-2026-44967 opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters traces/metrics/logs read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

CVE-2026-44967

OpenTelemetry-cpp OTLP HTTP exporters (traces/metrics/logs) read entire HTTP responses into an unbounded in-memory byte vector before 1.27.0, enabling memory exhaustion if the collector endpoint is attacker-controlled or the connection is MITM. The issue is fixed in opentelemetry-cpp release 1.27...

CVE-2026-48748 Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patche...

CVE-2026-48748 Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patche...

CVE-2026-48748

Netty HTTP/3 vulnerability CVE-2026-48748: a memory-exhaustion flaw in the Netty HTTP/3 codec prior to 4.2.15.Final allows an infinite number of blocked streams, leading to OOM. The issue is fixed in Netty version 4.2.15.Final. Affected component: Netty’s HTTP/3 codec. Root cause: unbounded block...

CVE-2026-48059 Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nest...

EUVD-2026-36457

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nest...

CVE-2026-48059 Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nest...

CVE-2026-48059

Netty HAProxy: In Netty’s HAProxy PROXY protocol v2 codec, a memory leak occurs on each connection when a syntactically valid nested PP2_TYPE_SSL TLV (depth ≥ 2) is provided. This affects Netty versions 4.1.135.Final and 4.2.15.Final. The leak happens on the successful parse path: the message is ...

CVE-2026-48043 netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the...

CVE-2026-48043

Netty CVE-2026-48043 affects netty-codec-http2 before 4.1.135.Final and 4.2.15.Final. A flaw in DelegatingDecompressorFrameListener uses a per-stream EmbeddedChannel to decompress frames (gzip/deflate/zstd) and forwards chunks to a tail handler; decompressed ByteBuf ownership is not robust, allow...

CVE-2026-48043 netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the...

CVE-2026-48006 Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate...

EUVD-2026-36492

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate...

CVE-2026-48006 Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate...

CVE-2026-48006

Summary : CVE-2026-48006 relates to Netty’s RedisArrayAggregator leaking pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. This occurs prior to Netty versions 4.1.135.Final and 4.2.15.Final . Root cause : The RedisArrayAggregator retains...

CVE-2026-46433

A flaw was found in lldpd, an implementation of IEEE 802.1ab LLDP. A remote attacker on the adjacent network can send specially crafted Ethernet frames with 802.1Q VLAN Virtual Local Area Network tags. This can cause a 4-byte heap buffer over-read, leading to a denial of service DoS due to an...

CVE-2026-46340 Netty: SCTP reassembly nests buffers without bound

Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does fragments.putstreamId, Unpooled.wrappedBufferfrag, byteBuf, wrapping t...