PT-2022-6921 · Netty+5 · Netty+5

Normanmaurer

Published

2022-12-12

Updated

2026-05-18

CVE-2022-41881

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.86.Final

Description The issue is related to an infinite recursion when parsing a malformed crafted message, which can lead to a StackOverflowError. This can be exploited by a remote attacker to cause a denial of service. The recursion occurs when parsing a TLV with type = PP2 TYPE SSL, where the value can be another TLV with the same type, and so on. The only limitation to the recursion is the TLV length, which cannot exceed 0xffff due to its encoding in an unsigned short type. Providing a TLV with a sufficiently large nesting level can cause a StackOverflowError.

Recommendations For versions prior to 4.1.86.Final, upgrade to version 4.1.86.Final to resolve the issue. As a temporary workaround, consider using a custom HaProxyMessageDecoder.

Exploit

Fix

DoS

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

BDU:2023-05619

CLEANSTART-2026-CI66802

CLEANSTART-2026-DD05788

CLEANSTART-2026-KU61465

CLEANSTART-2026-LE11246

CLEANSTART-2026-RN56220

CLEANSTART-2026-SQ91016

CLEANSTART-2026-VH41554

CLEANSTART-2026-WK99982

CVE-2022-41881

DLA-3268-1

DSA-5316-1

GHSA-FX2C-96VJ-985V

OESA-2023-1905

OESA-2023-1906

OESA-2023-1907

OESA-2023-1999

OESA-2023-2000

OESA-2023-2001

OPENSUSE-SU-2024:14442-1

RHSA-2023:1512

RHSA-2023:1513

RHSA-2023:1514

RHSA-2023:2705

RHSA-2023:2706

RHSA-2023:2707

RHSA-2025:1746

RHSA-2025:1747

SUSE-SU-2023:2096-1

SUSE-SU-2023:2096-2

USN-6049-1

Affected Products

Astra Linux

Linuxmint

Netty

Red Os

Suse

Ubuntu

PT-2022-6921 · Netty+5 · Netty+5

CVE-2022-41881

Weakness Enumeration

Related Identifiers

Affected Products

References · 410