GHSA-3qp7-7mw8-wx86

An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

Details

io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress) method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.

Impact

Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T19:00:33Z",
    "nvd_published_at": "2026-06-11T22:16:56Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-284",
        "CWE-697"
    ]
}

References

Affected packages

Maven / io.netty:netty-handler

Package

Name: io.netty:netty-handler; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-handler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0.Final

Fixed

4.2.15.Final

Affected versions

4.*

4.2.0.Final

4.2.1.Final

4.2.2.Final

4.2.3.Final

4.2.4.Final

4.2.5.Final

4.2.6.Final

4.2.7.Final

4.2.8.Final

4.2.9.Final

4.2.10.Final

4.2.11.Final

4.2.12.Final

4.2.13.Final

4.2.14.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3qp7-7mw8-wx86/GHSA-3qp7-7mw8-wx86.json"

last_known_affected_version_range

"<= 4.2.14.Final"

Maven / io.netty:netty-handler

Package

Name: io.netty:netty-handler; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-handler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.135.Final

Affected versions

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0.CR3

4.0.0.CR4

4.0.0.CR5

4.0.0.CR6

4.0.0.CR7

4.0.0.CR8

4.0.0.CR9

4.0.0.Final

4.0.1.Final

4.0.2.Final

4.0.3.Final

4.0.4.Final

4.0.5.Final

4.0.6.Final

4.0.7.Final

4.0.8.Final

4.0.9.Final

4.0.10.Final

4.0.11.Final

4.0.12.Final

4.0.13.Final

4.0.14.Beta1

4.0.14.Final

4.0.15.Final

4.0.16.Final

4.0.17.Final

4.0.18.Final

4.0.19.Final

4.0.20.Final

4.0.21.Final

4.0.22.Final

4.0.23.Final

4.0.24.Final

4.0.25.Final

4.0.26.Final

4.0.27.Final

4.0.28.Final

4.0.29.Final

4.0.30.Final

4.0.31.Final

4.0.32.Final

4.0.33.Final

4.0.34.Final

4.0.35.Final

4.0.36.Final

4.0.37.Final

4.0.38.Final

4.0.39.Final

4.0.40.Final

4.0.41.Final

4.0.42.Final

4.0.43.Final

4.0.44.Final

4.0.45.Final

4.0.46.Final

4.0.47.Final

4.0.48.Final

4.0.49.Final

4.0.50.Final

4.0.51.Final

4.0.52.Final

4.0.53.Final

4.0.54.Final

4.0.55.Final

4.0.56.Final

4.1.0.Beta1

4.1.0.Beta2

4.1.0.Beta3

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

4.1.60.Final

4.1.61.Final

4.1.62.Final

4.1.63.Final

4.1.64.Final

4.1.65.Final

4.1.66.Final

4.1.67.Final

4.1.68.Final

4.1.69.Final

4.1.70.Final

4.1.71.Final

4.1.72.Final

4.1.73.Final

4.1.74.Final

4.1.75.Final

4.1.76.Final

4.1.77.Final

4.1.78.Final

4.1.79.Final

4.1.80.Final

4.1.81.Final

4.1.82.Final

4.1.83.Final

4.1.84.Final

4.1.85.Final

4.1.86.Final

4.1.87.Final

4.1.88.Final

4.1.89.Final

4.1.90.Final

4.1.91.Final

4.1.92.Final

4.1.93.Final

4.1.94.Final

4.1.95.Final

4.1.96.Final

4.1.97.Final

4.1.98.Final

4.1.99.Final

4.1.100.Final

4.1.101.Final

4.1.102.Final

4.1.103.Final

4.1.104.Final

4.1.105.Final

4.1.106.Final

4.1.107.Final

4.1.108.Final

4.1.109.Final

4.1.110.Final

4.1.111.Final

4.1.112.Final

4.1.113.Final

4.1.114.Final

4.1.115.Final

4.1.116.Final

4.1.117.Final

4.1.118.Final

4.1.119.Final

4.1.120.Final

4.1.121.Final

4.1.122.Final

4.1.123.Final

4.1.124.Final

4.1.125.Final

4.1.126.Final

4.1.127.Final

4.1.128.Final

4.1.129.Final

4.1.130.Final

4.1.131.Final

4.1.132.Final

4.1.133.Final

4.1.134.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-3qp7-7mw8-wx86/GHSA-3qp7-7mw8-wx86.json"

last_known_affected_version_range

"<= 4.1.134.Final"