GHSA-jfg9-48mv-9qgx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jfg9-48mv-9qgx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-jfg9-48mv-9qgx/GHSA-jfg9-48mv-9qgx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jfg9-48mv-9qgx
- Aliases
-
- CVE-2026-44248
- Downstream
- Related
- Published
- 2026-05-07T05:14:14Z
- Modified
- 2026-05-14T20:51:55.305572Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Netty MQTT: Resource exhaustion in MqttDecoder
- Details
-
Impact
The MQTT 5 header Properties section is parsed and buffered before any message size limit is applied.
Specifically, in
MqttDecoder, thedecodeVariableHeader()method is called before thebytesRemainingBeforeVariableHeader > maxBytesInMessagecheck. ThedecodeVariableHeader()can call other methods which will calldecodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded.Additionally, because
MqttDecoderextendsReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion.This can cause high resource usage in both CPU and memory.
Resources
ANT-2026-09608https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901027 - Database specific
{ "github_reviewed_at": "2026-05-07T05:14:14Z", "nvd_published_at": "2026-05-13T19:17:27Z", "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
Maven / io.netty:netty-codec-mqtt
Package
- Name
- io.netty:netty-codec-mqtt
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-codec-mqtt
Maven / io.netty:netty-codec-mqtt
Package
- Name
- io.netty:netty-codec-mqtt
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-codec-mqtt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.1.133.Final
Affected versions
4.*
4.1.0.Beta1
4.1.0.Beta2
4.1.0.Beta3
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final
4.1.115.Final
4.1.116.Final
4.1.117.Final
4.1.118.Final
4.1.119.Final
4.1.120.Final
4.1.121.Final
4.1.122.Final
4.1.123.Final
4.1.124.Final
4.1.125.Final
4.1.126.Final
4.1.127.Final
4.1.128.Final
4.1.129.Final
4.1.130.Final
4.1.131.Final
4.1.132.Final