.. _vulnerabilityManagement_securityAdvisory_2026_CVE-2026-42583:

CVE-2026-42583
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2026-05-07

Severity: High

CVSS Score:  7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Riferimenti:

- `https://guide.sonatype.com/vulnerability/CVE-2026-42583 <https://guide.sonatype.com/vulnerability/CVE-2026-42583>`_
- `https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6 <https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6>`_

Libreria: io.netty:netty-codec <= 4.1.132.Final

**Descrizione**

CWE-400: Uncontrolled Resource Consumption / CWE-770: Allocation of Resources Without Limits or Throttling

Netty's ``io.netty.handler.codec.compression.Lz4FrameDecoder`` is vulnerable to resource exhaustion. When decoding LZ4 frames, the decoder trusts the ``decompressedLength`` header field for sizing and allocates a ``ByteBuf`` of that size (up to 32 MB per block) before decompression actually runs. A peer only needs to send 22 bytes (a 21-byte header plus a 1-byte compressed payload, when ``compressedLength == 1``) to force the server to allocate the maximum 32 MB buffer. Untrusted senders, in absence of per-channel or aggregate limits, can therefore stress server memory with many small requests, causing a Denial of Service. The issue is fixed in versions 4.1.133.Final (``io.netty:netty-codec``) and 4.2.13.Final (``io.netty:netty-codec-compression``).

**GovWay**

Versione affette:

- 3.3.x: <= 3.3.19.p1
- 3.4.x: <= 3.4.2.p1

Risoluzione:

- 3.3.x: 3.3.20
- 3.4.x: 3.4.3