CVE Catalog

CVE-2026-44248

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

37th percentile - higher than 37% of all known CVEs

Summary

In Netty before versions 4.2.13.Final and 4.1.133.Final, a vulnerability exists in the MQTT 5 decoder. The Properties section of the MQTT header is parsed and buffered before any message size limit check, allowing an attacker to send oversized properties. This causes repeated, expensive parsing and memory buffering, leading to high CPU and RAM usage.

Risk Assessment

An attacker can overload a server using Netty for MQTT 5, causing a denial of service (DoS) by sending a crafted packet with an enormous Properties section. This may lead to service unavailability for clients.

Recommendation

Immediately update Netty to version 4.2.13.Final or 4.1.133.Final. If an update is not possible, consider restricting MQTT server access to trusted clients only.

Original NVD description (English source)

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS