DEBIAN-CVE-2026-44248

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-44248

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44248.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-44248

Upstream

CVE-2026-44248

Published

2026-05-13T19:17:27.143Z

Modified

2026-05-19T09:00:11.663558050Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

References

https://security-tracker.debian.org/tracker/CVE-2026-44248

Affected packages

Debian:11 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4

1:4.1.48-4+deb11u1

1:4.1.48-4+deb11u2

1:4.1.48-4+deb11u3

1:4.1.48-5

1:4.1.48-6

1:4.1.48-7

1:4.1.48-8

1:4.1.48-9

1:4.1.48-10

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44248.json"

Debian:12 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7

1:4.1.48-7+deb12u1

1:4.1.48-7+deb12u2

1:4.1.48-8

1:4.1.48-9

1:4.1.48-10

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44248.json"

Debian:13 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

1:4.1.48-10+deb13u1

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44248.json"

Debian:14 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44248.json"