Lucene search
+L

387 matches found

UbuntuCve
UbuntuCve
added 2026/05/13 7:17 p.m.12 views

CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/13 6:22 p.m.3 views

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS7AI score0.00887EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/13 6:22 p.m.49 views

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS0.00887EPSS
Exploits1References1
CVE
CVE
added 2026/05/13 6:22 p.m.87 views

CVE-2026-42587

Netty CVE-2026-42587 affects HttpContentDecompressor and DelegatingDecompressorFrameListener. Before 4.2.13.Final and 4.1.133.Final, maxAllocation is enforced for gzip/deflate but ignored for br, zstd, or snappy, allowing an attacker to bypass the decompression limit via Content-Encoding: br and ...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References11Affected Software1
OSV
OSV
added 2026/05/13 6:22 p.m.2 views

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS7AI score0.00887EPSS
Exploits1References13
NVD
NVD
added 2026/05/12 10:16 p.m.17 views

CVE-2026-44302

Snappier is a high performance C implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. This vulnerability is fixed in 1.3.1...

7.5CVSS0.00263EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 9:33 p.m.47 views

CVE-2026-44302

CVE-2026-44302 affects Snappier, a C# implementation of Snappy. The vulnerability lies in SnappyStream decompression: when processing malformed framed-format input (as small as 15 bytes), SnappyStream enters an uncatchable infinite loop inside SnappyStreamDecompressor.Decompress, causing a busy-w...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/11 12:0 a.m.11 views

Unity Linux 20.1070e Security Update: netty (UTSA-2026-017447)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017447 advisory. The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunk...

7.5CVSS6.8AI score0.0628EPSS
Exploits0References4
Microsoft CVE
Microsoft CVE
added 2026/05/07 8:3 a.m.22 views

Prometheus: remote read endpoint allows denial of service via crafted snappy payload

...

7.5CVSS5.8AI score0.00761EPSS
Exploits0
OSV
OSV
added 2026/05/07 12:46 a.m.38 views

GHSA-F6HV-JMP6-3VWV Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/07 12:46 a.m.13 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and...

8.7CVSS5.8AI score0.00887EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:46 a.m.17 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...

8.7CVSS5.8AI score0.00887EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/07 12:46 a.m.18 views

Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References3Affected Software2
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.29 views

PT-2026-38379

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description HttpContentDecompressor and DelegatingDecompressorFrameListener used for HTTP/2 connections utilize a maxAllocation parameter to limit decompression buffer...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References410
OSV
OSV
added 2026/05/06 8:53 p.m.5 views

GHSA-PGGP-6C3X-2XMX Snappier has an infinite loop during SnappyStream decompression with malformed framed input

Summary Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. Details The hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The exact...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/06 2:59 p.m.106 views

avro-oom-compression-poc

Avro Decompression Bomb PoC CWE-409 Proof of concept demons...

5.8AI score
Exploits0
SUSE CVE
SUSE CVE
added 2026/05/06 1:41 a.m.8 views

SUSE CVE-2026-42154

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...

7.5CVSS5.8AI score0.00761EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.16 views

PT-2026-38079

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...

7.5CVSS5.8AI score0.00761EPSS
Exploits0References19
EUVD
EUVD
added 2026/05/05 7:34 p.m.19 views

EUVD-2026-27091

Prometheus: Remote read endpoint allows denial of service via crafted snappy payload...

7.5CVSS5.8AI score0.00761EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/05 7:34 p.m.10 views

Prometheus: Remote read endpoint allows denial of service via crafted snappy payload

Impact The remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust...

7.5CVSS5.8AI score0.00761EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder