CVE-2026-44893
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
描述
Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
如何修補 CVE-2026-44893
要修補 CVE-2026-44893,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 4.2.15.Final 或更新版本
CVE-2026-44893 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-44893 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(2)
- from 0
- >= 4.2.0.Final, < 4.2.15.Final
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |