CVE Catalog

CVE-2026-48059

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

45th percentile - higher than 45% of all known CVEs

Summary

A memory leak vulnerability exists in the Netty library when processing the HAProxy PROXY protocol v2. Each connection with a valid header containing nested PP2_TYPE_SSL TLVs at depth two or greater permanently pins the cumulation buffer, even after normal release of the HAProxyMessage object.

Risk Assessment

The memory leak can exhaust available memory in the application, causing crashes or significant performance degradation, posing a risk to service availability.

Recommendation

Immediately update Netty to version 4.1.135.Final or 4.2.15.Final, which contain the fix for the memory leak.

Original NVD description (English source)

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS