Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

GHSA-3qp7-7mw8-wx86 · CVE-2026-44249

Published Jun 8, 2026 · Modified Jun 12, 2026

Description

Summary

An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

Details

io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress) method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.

Impact

Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.

References

WEB https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44249
PACKAGE https://github.com/netty/netty
WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes