ROOT-APP-MAVEN-CVE-2026-44249 CVE-2026-44249 in io.root.io.netty:netty-handler - Patched by Root

Root has patched CVE-2026-44249 in the io.root.io.netty:netty-handler package for Root:Maven. Multiple fixed versions available...

GHSA-CQ4Q-CV5G-R8Q5 Netty: QUIC stateless reset token material exposed through header-visible connection IDs

Summary Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers...

Allocation of Resources Without Limits or Throttling

Overview io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforcement of the advertised...

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42584 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves:...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +1990 more potentially affected by CVE-2026-42579 via io.netty:netty-codec-dns (>=4.2.0.Alpha1 <=4.2.12.Final)

io.netty:netty-codec-dns MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42579 Source advisory: OSV:GHSA-CM33-6792-R9FM...

DSA-6160-1 netty - security update

Bulletin has no description...

Debian dsa-6160 : libnetty-java - security update

The remote Debian 12 / 13 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-6160 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6160-1 [email protected]...

EUVD-2019-0708

Malware in sbrugna...

Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in the netty library (CVE-2025-24970)

Summary Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which...

Security update 4.3.15.2 SUSE Manager Server 4.3

This update fixes the following issues: netty: Security issues fixed: CVE-2024-47535: Decorate InputStream to throw an exception once the data read limit is reached bsc1233297 Other changes: Replace AlgorithmId.sha256WithRSAEncryptionoid usage with specify the OID directly susemanager-sync-data:...

CVE-2019-17513

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur...

Security Bulletin: IBM® Db2® is affected by a vulnerability in the netty library. (CVE-2024-47535, CVE-2025-25193)

Summary IBM® Db2® is vulnerable to a denial of service due to unsafe environment file loading. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to Netty (CVE-2025-25193)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is vulnerable to a denial of service due to Netty (CVE-2025-25193)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Netty (CVE-2025-25193)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerabili...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to Netty (CVE-2024-47535)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to Netty (CVE-2024-47535)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

netty: control chars in header names may lead to HTTP request smuggling

A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling...

GHSA-GRG4-WF29-R9VV Bzip2Decoder doesn't allow setting size restrictions for decompressed data

Impact The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data which affects the allocation size used during decompression. All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack Workarounds No...

USN-4532-1 netty-3.9 vulnerabilities

It was discovered that Netty incorrectly handled certain HTTP headers. By sending an HTTP header with whitespace before the colon, a remote attacker could possibly use this issue to perform an HTTP request smuggling attack. CVE-2019-16869 It was discovered that Netty incorrectly handled certain...