Sign In

CVE-2026-44248

ADVISORY - github

Summary

Impact

The MQTT 5 header Properties section is parsed and buffered before any message size limit is applied.

Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded.

Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion.

This can cause high resource usage in both CPU and memory.

Resources

ANT-2026-09608 https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901027

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-400

Uncontrolled Resource Consumption

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-jfg9-48mv-9qgx
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-400

CVSS SCORE

5.3medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-cmjq-2w8w-9vj4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY