CVE-2026-48059

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final

Description The HAProxy PROXY protocol v2 codec leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2 TYPE SSL TLVs (type-length-value records) at depth two or greater. This occurs during the successful parse path where the underlying cumulation buffer, a pooled and potentially direct ByteBuf allocated by the channel, remains permanently pinned even after the HAProxyMessage is released and the decoder removes itself.

Recommendations Update to version 4.1.135.Final. Update to version 4.2.15.Final.