CVE-2026-44248

Name of the Vulnerable Software and Affected Versions Netty (affected versions not specified)

Description Resource exhaustion occurs because the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. In the MqttDecoder class, the decodeVariableHeader() function is executed before the check for bytesRemainingBeforeVariableHeader > maxBytesInMessage. This allows decodeVariableHeader() to trigger decodeProperties(), meaning no limits are applied to the size of the decoded properties. Since MqttDecoder extends ReplayingDecoder, the system repeatedly re-parses and buffers large Properties sections in memory until parsing is complete, leading to high CPU and memory consumption.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.