PT-2026-38379 · Netty+2 · Netty+2
Published
2026-05-07
·
Updated
2026-06-24
·
CVE-2026-42587
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Netty versions prior to 4.1.133.Final
Netty versions prior to 4.2.13.Final
Description
HttpContentDecompressor and DelegatingDecompressorFrameListener (used for HTTP/2 connections) utilize a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks—a technique where a small compressed payload expands to a massive size to exhaust system resources. While this limit is enforced for gzip and deflate encodings via ZlibDecoder, it is ignored for br (Brotli), zstd, or snappy encodings. An attacker can bypass the configured limit by sending a compressed payload with Content-Encoding: br, zstd, or snappy, leading to unbounded memory allocation and out-of-memory denial of service.Recommendations
Update to version 4.1.133.Final or later.
Update to version 4.2.13.Final or later.
Exploit
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Confluence
Netty
Red Os