CVE-2026-48059

ADVISORY - github

Summary

Impact

The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.

EPSS Score: 0.00606 (0.450)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Missing Release of Memory after Effective Lifetime

ADVISORY - github

Improper Validation of Syntactic Correctness of Input

Missing Release of Memory after Effective Lifetime

ADVISORY - redhat

Improper Validation of Syntactic Correctness of Input


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in