CVE-2026-42587

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

Astra Linux - уязвимость в libzstd

Starting from v1.4.1 and before v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and then restricted those permissions immediately afterwards. As a result, the output files could temporarily be readable or writab...

Updated dpkg packages fix security vulnerabilities

It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...

MGASA-2026-0144 Updated dpkg packages fix security vulnerabilities

It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...

SUSE CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

Linux Distros Unpatched Vulnerability : CVE-2026-42587

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation...

CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

Ubuntu 24.04 LTS / 25.10 : dpkg vulnerability (USN-8249-1)

The remote Ubuntu 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8249-1 advisory. Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were trick...

Unity Linux 20.1060e / 20.1070e Security Update: zstd (UTSA-2026-017635)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017635 advisory. Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permission...

USN-8249-1: dpkg vulnerability

Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding,...

USN-8249-1 dpkg vulnerability

Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding,...

GHSA-F6HV-JMP6-3VWV Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and...

Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...

PT-2026-38379

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description HttpContentDecompressor and DelegatingDecompressorFrameListener used for HTTP/2 connections utilize a maxAllocation parameter to limit decompression buffer...

avro-oom-compression-poc

Avro Decompression Bomb PoC CWE-409 Proof of concept demons...

Astra Linux - уязвимость в libzstd

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. The correct file permissions matching the input would only be set at the time of completion. As a result, output files could be readable or writable by unintended parties...

CLEANSTART-2026-HQ78610 Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java

Multiple security vulnerabilities affect the trino package. Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. See references for individual vulnerability details...