CVE-2026-48059
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk45th percentile - higher than 45% of all known CVEs
Summary
A memory leak vulnerability exists in the Netty library when processing the HAProxy PROXY protocol v2. Each connection with a valid header containing nested PP2_TYPE_SSL TLVs at depth two or greater permanently pins the cumulation buffer, even after normal release of the HAProxyMessage object.
Risk Assessment
The memory leak can exhaust available memory in the application, causing crashes or significant performance degradation, posing a risk to service availability.
Recommendation
Immediately update Netty to version 4.1.135.Final or 4.2.15.Final, which contain the fix for the memory leak.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

