CVE-2026-44893

A flaw was found in netty-codec-haproxy, a component of the Netty network application framework. A remote attacker can exploit this vulnerability by sending a specially crafted HAProxy message with a malformed PP2TYPESSL TLV Type-Length-Value header. This can lead to an IndexOutOfBoundsException...

ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-metrics (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +6262 more potentially affected by CVE-2026-44893 via io.netty:netty-codec-haproxy (>=4.1.100.Final <=4.1.134.Final)

io.netty:netty-codec-haproxy MAVEN version =4.1.100.Final, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0, =0.1.0, =0.0.86, =0.0.86, =0.0.86, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 -...

Denial Of Service (DoS)

netty-codec-haproxy is vulnerable to Denial Of Service DoS. The vulnerability is due to a StackOverflowError in the HAProxyMessage.java as it does not properly limit the maximum nesting of TLV, allowing an attacker to cause an application crash via infinite recursion by passing a maliciously...