Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

GHSA-h2qv-fj59-j46j · CVE-2026-48059

Published Jun 11, 2026 · Modified Jun 12, 2026

Description

Impact

The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.

References

WEB https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-48059
PACKAGE https://github.com/netty/netty
WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes