CVE-2026-44248
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk37th percentile - higher than 37% of all known CVEs
Summary
In Netty before versions 4.2.13.Final and 4.1.133.Final, a vulnerability exists in the MQTT 5 decoder. The Properties section of the MQTT header is parsed and buffered before any message size limit check, allowing an attacker to send oversized properties. This causes repeated, expensive parsing and memory buffering, leading to high CPU and RAM usage.
Risk Assessment
An attacker can overload a server using Netty for MQTT 5, causing a denial of service (DoS) by sending a crafted packet with an enormous Properties section. This may lead to service unavailability for clients.
Recommendation
Immediately update Netty to version 4.2.13.Final or 4.1.133.Final. If an update is not possible, consider restricting MQTT server access to trusted clients only.
Original NVD description (English source)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

