CVE-2026-44249 | Netty is a network application framework for development of … | CVSS 8.1 HIGH

Description

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metadata

CVE ID: CVE-2026-44249
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-05 16:33 UTC
Published: 2026-06-11 20:46 UTC
Last updated: 2026-06-13 03:55 UTC
Primary CWE: CWE-284
CWE-284: Improper Access Control
Vendor / Product: netty / netty
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
netty	netty	—	>= 4.2.0.Final, < 4.2.15.Final, < 4.1.135.Final

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284: Improper Access Control
CWE-697	cna	CWE-697: Incorrect Comparison

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86 https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86
https://github.com/netty/netty/releases/tag/netty-4.1.135.Final https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
https://github.com/netty/netty/releases/tag/netty-4.2.15.Final https://github.com/netty/netty/releases/tag/netty-4.2.15.Final