Netty: SCTP reassembly nests buffers without bound
GHSA-5xrh-qmmq-w6ch · CVE-2026-46340
Published · Modified
Description
For each non-complete SctpMessage fragment the handler does fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf)), wrapping the previous accumulator and the new slice into a new CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the complete flag can grow this structure indefinitely from tiny 1-byte DATA chunks.
References
- WEB https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-46340
- PACKAGE https://github.com/netty/netty
- WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
Ready to move
Start Securing
Free, no credit card | First findings in minutes