CVE-2026-44248: Netty: Resource exhaustion in MqttDecoder
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Security readout for executives and security teams
Plain-English summary
Netty, a widely used Java networking framework, has a flaw in how it handles MQTT 5 messages. An attacker can send a specially crafted MQTT message that forces Netty to buffer huge amounts of data in memory and burn CPU cycles. Applications relying on Netty's MQTT decoder can slow down or crash, disrupting availability for customers and internal services.
Executive priority
Treat as a high-priority availability risk if any customer-facing or IoT service uses Netty MQTT. Schedule patching this sprint, verify exposure through SBOM/SCA, and confirm broker monitoring is in place. No evidence of active exploitation today, but the low attack complexity and unauthenticated network reach warrant fast action.
Technical view
In MqttDecoder, decodeVariableHeader() runs before the bytesRemainingBeforeVariableHeader > maxBytesInMessage size check, so decodeProperties() parses the MQTT 5 Properties section without a length limit. Because MqttDecoder extends ReplayingDecoder, incomplete buffers are repeatedly re-parsed while bytes accumulate in memory. The result is uncontrolled resource consumption (CWE-400, CWE-770). Fixed in Netty 4.2.13.Final and 4.1.133.Final per the GHSA advisory.
Likely exposure
Any Java service that exposes an MQTT 5 listener built on netty-codec-mqtt versions >= 4.2.0.Alpha1 and < 4.2.13.Final, or < 4.1.133.Final. IoT brokers, telemetry gateways, and edge messaging tiers reachable from untrusted networks are most exposed. Internal-only MQTT services face lower but non-zero risk from compromised clients.
Exploitation context
CVSS 3.1 is 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) with network reach, no authentication, and availability impact only. No confidentiality or integrity loss is described. The CVE is not listed in CISA KEV, and the provided sources do not cite active exploitation. Public proof-of-concept status is not confirmed in the source bundle.
Researcher notes
Root cause is ordering: decodeVariableHeader() executes before the maxBytesInMessage guard, and ReplayingDecoder retries on incomplete reads, amplifying memory pressure during Properties parsing. Look for MQTT 5 CONNECT/PUBLISH frames with oversized Properties sections. Confirm patched versions in shaded/relocated jars and container base images. Watch for downstream products (Quarkus, Vert.x, brokers, gateways) that pin older Netty; vendor advisories may lag.
Mitigation direction
Upgrade netty-codec-mqtt to 4.2.13.Final or 4.1.133.Final across services and container images.
Apply Red Hat RHSA-2026:37390 or equivalent vendor updates for downstream products bundling Netty.
Restrict MQTT listener exposure to trusted networks and enforce authentication where possible.
Add ingress rate limiting and connection quotas in front of MQTT brokers as a stopgap.
Review third-party libraries and appliances for embedded vulnerable Netty versions and request vendor guidance.
Validation and detection
Inventory Java services and dependencies with SCA to locate netty-codec-mqtt versions in scope.
Confirm resolved runtime version at 4.2.13.Final or 4.1.133.Final after rebuild and redeploy.
Monitor MQTT broker CPU, heap, and connection metrics for abnormal spikes tied to single clients.
Cross-check Red Hat CSAF/VEX data to confirm affected product status for RHEL-based stacks.
Track upstream advisory GHSA-jfg9-48mv-9qgx for any updates or additional guidance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-400: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.