CVE-2026-45416: Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Security readout for executives and security teams
Plain-English summary
A flaw in the Netty networking library lets an unauthenticated attacker trick a server into reserving up to 16 MiB of memory per connection by sending only nine bytes. Repeated connections can exhaust server memory and knock services offline. Many Java-based applications and appliances embed Netty, so exposure is broad even when teams do not use it directly.
Executive priority
Treat as a priority-two patch cycle: no confirmed active exploitation, but a trivial pre-auth denial-of-service against TLS-facing Java services with wide dependency reach. Schedule remediation within the next scheduled maintenance window and expedite for any internet-exposed revenue or customer-facing systems.
Technical view
SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello spans records, calls ctx.alloc().buffer(handshakeLength) before validating input. The common SniHandler and AbstractSniHandler constructors default maxClientHelloLength and handshakeTimeoutMillis to 0, disabling both the length guard and timeout. A crafted 16 MiB length triggers a huge unpooled allocation retained until channel close. Fixed in Netty 4.1.135.Final and 4.2.15.Final.
Likely exposure
Any internet-reachable TLS endpoint built on Netty 4.2.0.Final through 4.2.14.Final or 4.1.x below 4.1.135.Final that terminates SNI with default handler settings. This includes many Java microservices, API gateways, reverse proxies, and third-party appliances that embed Netty transitively via Spring, gRPC, Reactor, or Vert.x.
Exploitation context
CVSS 3.1 base 7.5 (AV:N/AC:L/PR:N/UI:N/A:H); pre-authentication, network reachable, low complexity. Not listed in CISA KEV as of the source bundle and no public in-the-wild exploitation is cited. Red Hat has issued multiple errata (RHSA-2026:26017, 26018, 26586, 28573, 34608, 37390), indicating broad downstream impact and vendor urgency.
Researcher notes
Root cause is unbounded resource allocation (CWE-770) in SslClientHelloHandler.decode() line 161, gated by an ineffective check at line 140 when maxClientHelloLength=0. Nine bytes of attacker-controlled handshake header suffice to request a 16 MiB buffer that bypasses the pooled chunk path. Retention until channel close amplifies memory pressure across concurrent sockets. Validate fix by confirming the guard now trips regardless of maxClientHelloLength default, and by handshake timeout being scheduled.
Mitigation direction
Upgrade Netty to 4.1.135.Final or 4.2.15.Final on all services and rebuild dependent artifacts.
Apply Red Hat RHSA-2026:26017, 26018, 26586, 28573, 34608, and 37390 where applicable.
Where upgrade is delayed, set non-zero maxClientHelloLength and handshakeTimeoutMillis on SniHandler constructors.
Inventory transitive Netty use via Spring Boot, gRPC, Reactor, and Vert.x builds of materials.
Front exposed TLS listeners with a non-Netty terminator or WAF that caps ClientHello size.
Contact appliance vendors for patched builds that embed Netty.
Validation and detection
Run dependency scans (SCA, Trivy, Grype) for netty-handler and netty-codec versions below the fixed releases.
Grep container images and fat JARs for netty-*.jar to catch shaded copies.
Query runtime service inventories for JVM services exposing TLS on public interfaces.
Confirm patched versions load at startup by inspecting Netty version via JMX or /actuator/info.
Monitor heap and direct memory metrics for anomalous allocation spikes during handshake load tests.
Verify Red Hat errata are applied via rpm -q or subscription-manager on affected hosts.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-770: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-770 · source CWE mapping
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.