LiveActive security incident?Get immediate response
CVE Record

CVE-2026-44248: Netty: Resource exhaustion in MqttDecoder

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Netty, a widely used Java networking framework, has a flaw in how it handles MQTT 5 messages. An attacker can send a specially crafted MQTT message that forces Netty to buffer huge amounts of data in memory and burn CPU cycles. Applications relying on Netty's MQTT decoder can slow down or crash, disrupting availability for customers and internal services.

Executive priority

Treat as a high-priority availability risk if any customer-facing or IoT service uses Netty MQTT. Schedule patching this sprint, verify exposure through SBOM/SCA, and confirm broker monitoring is in place. No evidence of active exploitation today, but the low attack complexity and unauthenticated network reach warrant fast action.

Technical view

In MqttDecoder, decodeVariableHeader() runs before the bytesRemainingBeforeVariableHeader > maxBytesInMessage size check, so decodeProperties() parses the MQTT 5 Properties section without a length limit. Because MqttDecoder extends ReplayingDecoder, incomplete buffers are repeatedly re-parsed while bytes accumulate in memory. The result is uncontrolled resource consumption (CWE-400, CWE-770). Fixed in Netty 4.2.13.Final and 4.1.133.Final per the GHSA advisory.

Likely exposure

Any Java service that exposes an MQTT 5 listener built on netty-codec-mqtt versions >= 4.2.0.Alpha1 and < 4.2.13.Final, or < 4.1.133.Final. IoT brokers, telemetry gateways, and edge messaging tiers reachable from untrusted networks are most exposed. Internal-only MQTT services face lower but non-zero risk from compromised clients.

Exploitation context

CVSS 3.1 is 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) with network reach, no authentication, and availability impact only. No confidentiality or integrity loss is described. The CVE is not listed in CISA KEV, and the provided sources do not cite active exploitation. Public proof-of-concept status is not confirmed in the source bundle.

Researcher notes

Root cause is ordering: decodeVariableHeader() executes before the maxBytesInMessage guard, and ReplayingDecoder retries on incomplete reads, amplifying memory pressure during Properties parsing. Look for MQTT 5 CONNECT/PUBLISH frames with oversized Properties sections. Confirm patched versions in shaded/relocated jars and container base images. Watch for downstream products (Quarkus, Vert.x, brokers, gateways) that pin older Netty; vendor advisories may lag.

Mitigation direction

  • Upgrade netty-codec-mqtt to 4.2.13.Final or 4.1.133.Final across services and container images.
  • Apply Red Hat RHSA-2026:37390 or equivalent vendor updates for downstream products bundling Netty.
  • Restrict MQTT listener exposure to trusted networks and enforce authentication where possible.
  • Add ingress rate limiting and connection quotas in front of MQTT brokers as a stopgap.
  • Review third-party libraries and appliances for embedded vulnerable Netty versions and request vendor guidance.

Validation and detection

  • Inventory Java services and dependencies with SCA to locate netty-codec-mqtt versions in scope.
  • Confirm resolved runtime version at 4.2.13.Final or 4.1.133.Final after rebuild and redeploy.
  • Monitor MQTT broker CPU, heap, and connection metrics for abnormal spikes tied to single clients.
  • Cross-check Red Hat CSAF/VEX data to confirm affected product status for RHEL-based stacks.
  • Track upstream advisory GHSA-jfg9-48mv-9qgx for any updates or additional guidance.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-400: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-770: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-44248 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6redhat-SADP
5.3CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L3.91.4GitHub_M

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2026-44248Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPnetty: io.netty/netty-codec-mqtt: Netty: Denial of Service due to excessive resource consumption from crafted MQTT 5 header
other:Red Hat severity ratingcvssV3_1
  • 2026-05-13T19:02:22.095Z: Reported to Red Hat.
  • 2026-05-13T18:23:37.563Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
nettynetty>= 4.2.0.Alpha1, < 4.2.13.Final, < 4.1.133.FinalListed
io.nettynetty-codec-mqtt>= 4.2.0.Alpha1, < 4.2.13.Final, < 4.1.133.FinalListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.