CVE-2026-42583

Data: 2026-05-07

Severity: High

CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Riferimenti:

• https://guide.sonatype.com/vulnerability/CVE-2026-42583

• https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6

Libreria: io.netty:netty-codec <= 4.1.132.Final

Descrizione

CWE-400: Uncontrolled Resource Consumption / CWE-770: Allocation of Resources Without Limits or Throttling

Netty’s io.netty.handler.codec.compression.Lz4FrameDecoder is vulnerable to resource exhaustion. When decoding LZ4 frames, the decoder trusts the decompressedLength header field for sizing and allocates a ByteBuf of that size (up to 32 MB per block) before decompression actually runs. A peer only needs to send 22 bytes (a 21-byte header plus a 1-byte compressed payload, when compressedLength == 1) to force the server to allocate the maximum 32 MB buffer. Untrusted senders, in absence of per-channel or aggregate limits, can therefore stress server memory with many small requests, causing a Denial of Service. The issue is fixed in versions 4.1.133.Final (io.netty:netty-codec) and 4.2.13.Final (io.netty:netty-codec-compression).

GovWay

Versione affette:

• 3.3.x: <= 3.3.19.p1

• 3.4.x: <= 3.4.2.p1

Risoluzione:

• 3.3.x: 3.3.20

• 3.4.x: 3.4.3