Lucene search
K

172 matches found

RedHat Linux
RedHat Linux
added 6 days ago4 views

netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

7.5CVSS6.8AI score0.00887EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/07/02 6:1 p.m.6 views

CVE-2026-48044

A flaw was found in Envoy, an open source edge and service proxy. A remote attacker can exploit this vulnerability by sending a specially crafted, highly compressed zstd payload to an Envoy proxy with zstd decompression enabled. This can lead to massive memory allocation, causing severe memory...

7.5CVSS5.7AI score0.00486EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.5 views

netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References5
OSV
OSV
added 2026/06/30 11:39 p.m.3 views

BIT-ENVOY-2026-48044 Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation ZstdDecompressorImpl. When zstd decompression is enabled, processing a...

7.5CVSS5.8AI score0.00486EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/06/30 3:58 p.m.7 views

Moderate: Red Hat Security Advisory: Red Hat OpenShift distributed tracing platform (Tempo) 3.10.1 release

Red Hat OpenShift distributed tracing platform Tempo 3.10.1 has been released This release of the Red Hat OpenShift distributed tracing platform Tempo provides security improvements and bug fixes. Breaking changes: None Deprecations: None Technology Preview features: None Enhancements: None Bug...

5.3CVSS6AI score0.0037EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.15 views

PT-2026-52889

Name of the Vulnerable Software and Affected Versions Envoy versions 1.23.0 through 1.35.10 Envoy versions 1.36.0 through 1.36.6 Envoy versions 1.37.0 through 1.37.2 Envoy versions 1.38.0 through 1.38.0 Description A flaw exists in the zstd decompressor implementation ZstdDecompressorImpl. When...

7.5CVSS5.7AI score0.00486EPSS
Exploits1References19
EUVD
EUVD
added 2026/06/12 2:39 p.m.10 views

EUVD-2026-36494

Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the...

5.3CVSS5.2AI score0.00594EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/06/10 12:9 p.m.10 views

netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

7.5CVSS6.8AI score0.00887EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/06/10 12:5 p.m.11 views

netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

7.5CVSS6.8AI score0.00887EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/05/28 3:1 p.m.19 views

CVE-2026-42587

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

7.5CVSS6.8AI score0.00887EPSS
Exploits1References4
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in libzstd

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. The correct file permissions matching the input would only be set at the time of completion. As a result, output files could be readable or writable by unintended parties...

5.5CVSS6AI score0.00431EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in libzstd

Starting from v1.4.1 and before v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and immediately restricted those permissions afterward. As a result, the output files could temporarily be readable or writable to...

4.7CVSS5.9AI score0.00346EPSS
Exploits0References1
OSV
OSV
added 2026/05/16 6:17 a.m.10 views

MGASA-2026-0144 Updated dpkg packages fix security vulnerabilities

It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...

7.5CVSS5.8AI score0.00418EPSS
Exploits0References3
Mageia
Mageia
added 2026/05/16 6:17 a.m.16 views

Updated dpkg packages fix security vulnerabilities

It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...

7.5CVSS5.8AI score0.00418EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/05/15 1:58 a.m.16 views

SUSE CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/05/14 12:0 a.m.14 views

Linux Distros Unpatched Vulnerability : CVE-2026-42587

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation...

7.5CVSS6.9AI score0.00887EPSS
Exploits1References3
UbuntuCve
UbuntuCve
added 2026/05/13 7:17 p.m.12 views

CVE-2026-42587

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS5.9AI score0.00887EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/13 6:22 p.m.3 views

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS7AI score0.00887EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/13 6:22 p.m.44 views

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS0.00887EPSS
Exploits1References1
OSV
OSV
added 2026/05/13 6:22 p.m.1 views

CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...

7.5CVSS7AI score0.00887EPSS
Exploits1References13
Rows per page
Query Builder