CVE-2026-44248: Property Size Overflow in Netty
Platform
java
Component
netty
Fixed in
4.2.13.Final
CVE-2026-44248 is a vulnerability affecting the Netty network application framework. It stems from an improper handling of MQTT 5 header properties, allowing an attacker to trigger a denial-of-service (DoS) condition by sending oversized properties. This vulnerability impacts Netty versions 4.2.0 and later up to, but not including, 4.2.13.Final. A fix is available in version 4.2.13.Final.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The vulnerability lies in the MqttDecoder component of Netty, specifically within the decodeVariableHeader() method. The MQTT 5 header's Properties section is parsed and buffered before any message size limits are applied. This allows an attacker to craft a malicious MQTT message with an extremely large Properties section. Because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the oversized properties, consuming excessive memory and potentially leading to a denial-of-service. The impact is a server-side DoS, potentially disrupting MQTT communication and impacting applications relying on the MQTT protocol. While no direct data exfiltration is possible, the resource exhaustion can effectively render the server unavailable.
Exploitation Context
CVE-2026-44248 was published on May 13, 2026. Its severity is currently assessed as medium. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of near-term exploitation. Refer to the official Netty advisory for further details.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation is to upgrade to Netty version 4.2.13.Final or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing a temporary workaround by limiting the maximum size of MQTT messages processed by the Netty server. This can be achieved through application-level filtering or by configuring the MQTT broker to reject oversized messages. WAF rules can also be configured to block MQTT messages exceeding a defined size threshold. After upgrading, confirm the fix by sending a test MQTT message with a large Properties section and verifying that the server does not experience excessive memory consumption or crash.
How to fix
Actualice la biblioteca Netty a la versión 4.2.13.Final o superior, o a la versión 4.1.133.Final o superior. Esta actualización corrige la vulnerabilidad al aplicar límites al tamaño de las propiedades decodificadas en el protocolo MQTT 5, previniendo el agotamiento de recursos.
Frequently asked questions
What is CVE-2026-44248 — Property Size Overflow in Netty?
CVE-2026-44248 is a medium-severity vulnerability in Netty affecting versions 4.2.0 through 4.2.12. It allows an attacker to cause a denial-of-service by sending oversized MQTT 5 Properties sections, leading to excessive memory consumption.
Am I affected by CVE-2026-44248 in Netty?
You are affected if you are using Netty versions 4.2.0 through 4.2.12 and are processing MQTT 5 messages. Upgrade to 4.2.13.Final or later to mitigate the risk.
How do I fix CVE-2026-44248 in Netty?
The recommended fix is to upgrade to Netty version 4.2.13.Final or a later version. As a temporary workaround, limit the maximum size of MQTT messages processed by your server.
Is CVE-2026-44248 being actively exploited?
As of the current assessment, CVE-2026-44248 is not known to be actively exploited. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official Netty advisory for CVE-2026-44248?
Refer to the official Netty project website and security advisories for detailed information and updates regarding CVE-2026-44248: [https://netty.io/wiki/pages/known-security-vulnerabilities.html](https://netty.io/wiki/pages/known-security-vulnerabilities.html)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Scan your Java / Maven project now — no account
Upload your pom.xml and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...