CVE-2022-41881

NameCVE-2022-41881
DescriptionNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3268-1, DSA-5316-1
Debian Bugs1027180

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)buster1:4.1.33-1+deb10u2vulnerable
buster (security)1:4.1.33-1+deb10u4fixed
bullseye1:4.1.48-4+deb11u1fixed
bullseye (security)1:4.1.48-4+deb11u2fixed
bookworm1:4.1.48-7fixed
bookworm (security)1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysourcebuster1:4.1.33-1+deb10u3DLA-3268-1
nettysourcebullseye1:4.1.48-4+deb11u1DSA-5316-1
nettysource(unstable)1:4.1.48-61027180

Notes

https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
Fixed by https://github.com/netty/netty/commit/cd91cf3c99123bd1e53fd6a1de0e3d1922f05bb2 (netty-4.1.86.Final)

Search for package or bug name: Reporting problems