CVE-2022-41881

MEDIUM

Netty <4.1.86.Final - Memory Corruption

Title source: llm

Description

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

References (4)

[Exploit, Third Party Advisory] https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230113-0004/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5316

Scores

CVSS v3 5.3

EPSS 0.0045

EPSS Percentile 63.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (4)

debian/debian_linux 10.0

debian/debian_linux 11.0

io.netty/netty-codec-haproxy 0 - 4.1.86.FinalMaven

netty/netty < 4.1.86

Published Dec 12, 2022

Tracked Since Feb 18, 2026