{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45416","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-12T01:48:40.452Z","datePublished":"2026-06-12T14:10:05.585Z","dateUpdated":"2026-07-09T12:09:25.171Z"},"containers":{"cna":{"title":"Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes","problemTypes":[{"descriptions":[{"cweId":"CWE-770","lang":"en","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh","tags":["x_refsource_CONFIRM"],"url":"https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh"},{"name":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","tags":["x_refsource_MISC"],"url":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"},{"name":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","tags":["x_refsource_MISC"],"url":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}],"affected":[{"vendor":"netty","product":"netty","versions":[{"version":">= 4.2.0.Final, < 4.2.15.Final","status":"affected"},{"version":"< 4.1.135.Final","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-12T14:12:09.426Z"},"descriptions":[{"lang":"en","value":"Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}],"source":{"advisory":"GHSA-x4gw-5cx5-pgmh","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-12T15:06:59.768657Z","id":"CVE-2026-45416","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-12T15:07:07.365Z"}},{"affected":[{"cpes":["cpe:/a:redhat:apache_camel_quarkus:3.33"],"defaultStatus":"affected","product":"Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:offline_knowledge_portal:1.2::el9"],"defaultStatus":"affected","product":"Red Hat Offline Knowledge Portal 1.2.7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quarkus:3.27::el8"],"defaultStatus":"affected","product":"Red Hat build of Quarkus 3.27.4.SP1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quarkus:3.33::el8"],"defaultStatus":"affected","product":"Red Hat build of Quarkus 3.33.2.SP1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:2.9::el9"],"defaultStatus":"affected","product":"Streams for Apache Kafka 2.9.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"affected","product":"Cryostat 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:serverless:1"],"defaultStatus":"affected","product":"OpenShift Serverless","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_clients:2023"],"defaultStatus":"affected","product":"Red Hat AMQ Clients","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel - HawtIO 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_quarkus:3"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4 for Quarkus 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apicurio_registry:3"],"defaultStatus":"affected","product":"Red Hat build of Apicurio Registry 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"affected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"affected","product":"Red Hat Build of Keycloak","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"affected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"affected","product":"streams for Apache Kafka 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"unaffected","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"}],"datePublic":"2026-06-12T14:10:05.585Z","descriptions":[{"lang":"en","value":"A flaw was found in Netty, a network application framework. A remote attacker can exploit this vulnerability by sending a crafted TLS (Transport Layer Security) ClientHello message. This can lead to an eager allocation of a large memory buffer, causing a Denial of Service (DoS) due to excessive memory consumption. The issue occurs in the `SslClientHelloHandler.decode()` method when processing the TLS handshake length."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-45416"},{"name":"RHBZ#2488391","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2488391"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45416.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26586"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28573"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26018"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26017"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34608"}],"solutions":[{"lang":"en","value":"RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1"},{"lang":"en","value":"RHSA-2026:28573: Red Hat Offline Knowledge Portal 1.2.7"},{"lang":"en","value":"RHSA-2026:26018: Red Hat build of Quarkus 3.27.4.SP1"},{"lang":"en","value":"RHSA-2026:26017: Red Hat build of Quarkus 3.33.2.SP1"},{"lang":"en","value":"RHSA-2026:34608: Streams for Apache Kafka 2.9.4"}],"timeline":[{"lang":"en","time":"2026-06-12T15:01:45.671Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-12T14:10:05.585Z","value":"Made public."}],"title":"netty-handler: Netty: Denial of Service due to eager buffer allocation in TLS handshake","workarounds":[{"lang":"en","value":"To mitigate this issue, configure applications utilizing Netty's `SslClientHelloHandler` to specify a non-zero value for the `maxClientHelloLength` parameter. This will enable the internal length validation, preventing the eager allocation of large memory buffers when processing crafted TLS ClientHello messages. Refer to your specific application's documentation for details on configuring Netty's TLS handler. A restart of the affected application or service is required for the configuration changes to take effect."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:25.171Z"}}]}}