CVE-2026-48059

NameCVE-2026-48059
DescriptionNetty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139914

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)bullseye1:4.1.48-4+deb11u2vulnerable
bullseye (security)1:4.1.48-4+deb11u3vulnerable
bookworm, bookworm (security)1:4.1.48-7+deb12u2vulnerable
trixie (security), trixie1:4.1.48-10+deb13u1vulnerable
forky, sid1:4.1.48-16vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysource(unstable)(unfixed)1139914

Notes

https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j

Search for package or bug name: Reporting problems