CVE-2026-42583

Name of the Vulnerable Software and Affected Versions Netty (affected versions not specified)

Description A resource exhaustion issue exists in the decode() function of the io.netty.handler.codec.compression.Lz4FrameDecoder class. The decoder trusts header fields to determine buffer sizing, specifically allocating a ByteBuf based on the decompressedLength variable (which can reach up to 32 MB per block) before the LZ4 decompression process begins. An attacker can trigger this large allocation by sending a small payload consisting of a 21-byte header plus compressedLength payload bytes. This allows untrusted senders to stress system memory by sending numerous small requests if per-channel or aggregate limits are not implemented.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.