{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/netty-codec--4.1.132.final/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["netty-codec-compression (\u003c= 4.2.12.Final)","netty-codec (\u003c= 4.1.132.Final)"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","denial-of-service","netty"],"_cs_type":"advisory","_cs_vendors":["Netty"],"content_html":"\u003cp\u003eThe Netty framework is susceptible to a resource exhaustion vulnerability in its Lz4FrameDecoder. This vulnerability stems from the decoder\u0026rsquo;s reliance on header fields for buffer sizing. An attacker can exploit this by sending a minimal (22-byte) crafted header that specifies a large decompressed length (up to 32MB per block). This forces the server to allocate an unnecessarily large ByteBuf before the LZ4 decompression even occurs, consuming significant memory resources. The vulnerability affects netty-codec-compression versions up to 4.2.12.Final and netty-codec versions up to 4.1.132.Final. By repeatedly sending these malicious headers, an attacker can exhaust server memory, leading to a denial-of-service condition. This is especially critical in environments where Netty is used to handle network communications and where untrusted clients are allowed to connect.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a network connection to a Netty-based server using the affected Lz4FrameDecoder.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious LZ4 frame header, setting the \u003ccode\u003edecompressedLength\u003c/code\u003e field to a large value (e.g., 32MB). The complete header can be as small as 22 bytes.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted header to the server.\u003c/li\u003e\n\u003cli\u003eThe Lz4FrameDecoder on the server receives the header and allocates a ByteBuf based on the attacker-controlled \u003ccode\u003edecompressedLength\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe decoder attempts to decompress the (nonexistent or minimal) compressed data, which may trigger an \u003ccode\u003eIndexOutOfBoundsException\u003c/code\u003e or other decompression error.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s memory resources are consumed by the allocated ByteBuf, even if the decompression fails.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 3-6 to continuously allocate memory.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s memory is exhausted, leading to a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service (DoS) condition. An attacker can exhaust the server\u0026rsquo;s memory resources by sending a series of small, malicious requests. The number of victims would depend on the deployment of the Netty framework and the exposure of vulnerable services to untrusted clients. The sectors most affected are those relying on Netty for network communication, such as messaging platforms, application servers, and data streaming services. If the attack succeeds, the affected service becomes unavailable, disrupting normal operations and potentially leading to data loss or service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a non-vulnerable version of \u003ccode\u003eio.netty:netty-codec-compression\u003c/code\u003e (greater than 4.2.12.Final) or \u003ccode\u003eio.netty:netty-codec\u003c/code\u003e (greater than 4.1.132.Final) to patch CVE-2026-42583.\u003c/li\u003e\n\u003cli\u003eImplement per-channel and aggregate limits on incoming data and memory allocation to mitigate the impact of resource exhaustion attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually small LZ4 frames with excessively large declared decompressed lengths. Deploy the \u003ccode\u003eNetty Lz4 Frame Decoder Large Allocation\u003c/code\u003e Sigma rule to your SIEM to detect this pattern.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:20:35Z","date_published":"2026-05-07T00:20:35Z","id":"/briefs/2024-01-netty-lz4-resource-exhaustion/","summary":"Netty's Lz4FrameDecoder is vulnerable to resource exhaustion, where an attacker can cause excessive memory allocation by sending a small, crafted header, leading to a denial-of-service condition; this affects netty-codec-compression versions up to 4.2.12.Final and netty-codec versions up to 4.1.132.Final.","title":"Netty Lz4FrameDecoder Resource Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-netty-lz4-resource-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Netty-Codec (\u003c= 4.1.132.Final)","version":"https://jsonfeed.org/version/1.1"}