CVE-2026-42587

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

CVE-2026-42154

A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint /api/v1/read by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service DoS...

GHSA-VPR4-P6FQ-85JC Snappy: Binary path is never shell-escaped due to an inverted is_executable check

Impact On POSIX, escapeshellarg‘/usr/bin/wkhtmltopdf’ returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. isexecutable then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the constructor when the binary path is sourced from user-influenced configuration, environment variables derived from request data, or concatenated with user-controlled fragments. An attacker can execute arbitrary...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the xsl-style-sheet option. An attacker can access internal or remote resources and read arbitrary local files by supplying crafted input to the xsl-style-sheet parameter. Remediation Upgrade...

Snappy : SSRF and local file read via the xsl-style-sheet option

Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: php $stylesheet = $GET'stylesheet'; // = ‘file:///etc/passwd’ $pdf = new...

PT-2026-42693

Name of the Vulnerable Software and Affected Versions KnpLabs Snappy versions prior to 1.7.1 Description A shell injection issue exists on POSIX systems where the escapeshellarg function returns a string containing single-quote characters. This causes the is executable check to fail, as it search...

Astra Linux - уязвимость в snappy-java

Snappy-Java is a Java port of the snappy, a fast C++ compressor/ decompressor developed by Google. It was found that the SnappyInputStream is vulnerable to Denial of Service DoS attacks when decompressing data with a too large chunk size. Due to a lack of a upper bound check on the chunk length, ...

CVE-2026-46643

creationtimestamp| type| source ---|---|--- 2026-05-15 14:07:16+00:00| published-proof-of-concept| https://github.com/KnpLabs/snappy/security/advisories/GHSA-vpr4-p6fq-85jc...

SUSE CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

Linux Distros Unpatched Vulnerability : CVE-2026-42587

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation...

CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

DEBIAN-CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

CVE-2026-42587

Netty CVE-2026-42587 affects HttpContentDecompressor and DelegatingDecompressorFrameListener. Before 4.2.13.Final and 4.1.133.Final, maxAllocation is enforced for gzip/deflate but ignored for br, zstd, or snappy, allowing an attacker to bypass the decompression limit via Content-Encoding: br and ...

CVE-2026-44302

Snappier is a high performance C implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. This vulnerability is fixed in 1.3.1...

CVE-2026-44302

CVE-2026-44302 affects Snappier, a C# implementation of Snappy. The vulnerability lies in SnappyStream decompression: when processing malformed framed-format input (as small as 15 bytes), SnappyStream enters an uncatchable infinite loop inside SnappyStreamDecompressor.Decompress, causing a busy-w...

Unity Linux 20.1070e Security Update: netty (UTSA-2026-017447)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017447 advisory. The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunk...

Prometheus: remote read endpoint allows denial of service via crafted snappy payload

...