Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-13T18:23:37 netty: io.netty/netty-codec-mqtt: Netty: Denial of Service due to excessive resource consumption from crafted MQTT 5 header 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-770

A flaw was found in Netty, an asynchronous event-driven network application framework. A remote attacker can exploit this vulnerability by sending a crafted MQTT 5 header with an oversized Properties section. This causes Netty to repeatedly parse and buffer the large Properties section in memory before any message size limits are applied, leading to high CPU and memory consumption. This can result in a Denial of Service (DoS) condition, making the affected system unavailable.

Red Hat AMQ Broker 7 Affected netty-codec-mqtt Red Hat build of Apache Camel for Spring Boot 4 Affected netty-codec-mqtt Red Hat Data Grid 8 Affected netty-codec-mqtt Red Hat Fuse 7 Will not fix netty-codec-mqtt Red Hat JBoss Enterprise Application Platform 7 Affected netty-codec-mqtt Red Hat JBoss Enterprise Application Platform Expansion Pack Not affected netty-codec-mqtt Red Hat Process Automation 7 Affected netty-codec-mqtt Red Hat Single Sign-On 7 Affected netty-codec-mqtt https://www.cve.org/CVERecord?id=CVE-2026-44248 https://nvd.nist.gov/vuln/detail/CVE-2026-44248 https://github.com/netty/netty/security/advisories/GHSA-jfg9-48mv-9qgx