Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-47244 (GCVE-0-2026-47244)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:23 – Updated: 2026-06-12 14:59
VLAI
EPSS
Title
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Summary
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/netty/netty/releases/tag/netty… | x_refsource_MISC |
| https://github.com/netty/netty/releases/tag/netty… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:59:00.141106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:59:15.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Final, \u003c 4.2.15.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.135.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:23:50.316Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q"
},
{
"name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
},
{
"name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
}
],
"source": {
"advisory": "GHSA-5x3r-wrvg-rp6q",
"discovery": "UNKNOWN"
},
"title": "Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47244",
"datePublished": "2026-06-12T14:23:50.316Z",
"dateReserved": "2026-05-18T22:54:18.272Z",
"dateUpdated": "2026-06-12T14:59:15.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-47244",
"date": "2026-06-16",
"epss": "0.00507",
"percentile": "0.39066"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-47244\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-12T15:16:29.217\",\"lastModified\":\"2026-06-15T02:11:37.623\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.135\",\"matchCriteriaId\":\"3097D962-A32D-4467-AAE7-F4CBA3A349D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.15\",\"matchCriteriaId\":\"413D4611-A46C-4BE4-AB2F-D86282F65984\"}]}]}],\"references\":[{\"url\":\"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-47244\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-12T14:59:00.141106Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-12T14:59:07.858Z\"}}], \"cna\": {\"title\": \"Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced\", \"source\": {\"advisory\": \"GHSA-5x3r-wrvg-rp6q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"netty\", \"product\": \"netty\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.2.0.Final, \u003c 4.2.15.Final\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.1.135.Final\"}]}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q\", \"name\": \"https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final\", \"name\": \"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final\", \"name\": \"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-12T14:23:50.316Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-47244\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-12T14:59:15.823Z\", \"dateReserved\": \"2026-05-18T22:54:18.272Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-12T14:23:50.316Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-47244
Vulnerability from fkie_nvd - Published: 2026-06-12 15:16 - Updated: 2026-06-15 02:11
Severity
Summary
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3097D962-A32D-4467-AAE7-F4CBA3A349D2",
"versionEndExcluding": "4.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "413D4611-A46C-4BE4-AB2F-D86282F65984",
"versionEndExcluding": "4.2.15",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue."
}
],
"id": "CVE-2026-47244",
"lastModified": "2026-06-15T02:11:37.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-06-12T15:16:29.217",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-5X3R-WRVG-RP6Q
Vulnerability from github – Published: 2026-06-08 23:02 – Updated: 2026-06-12 19:30
VLAI
Summary
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Details
Impact
DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work.
Resources
https://www.rfc-editor.org/rfc/rfc7540.html#section-6.5.2
Severity
5.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.14.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http2"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Final"
},
{
"fixed": "4.2.15.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.134.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.135.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47244"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-08T23:02:40Z",
"nvd_published_at": "2026-06-12T15:16:29Z",
"severity": "MODERATE"
},
"details": "### Impact\nDefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work.\n\n### Resources\nhttps://www.rfc-editor.org/rfc/rfc7540.html#section-6.5.2",
"id": "GHSA-5x3r-wrvg-rp6q",
"modified": "2026-06-12T19:30:17Z",
"published": "2026-06-08T23:02:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47244"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced"
}
OPENSUSE-SU-2026:11033-1
Vulnerability from csaf_opensuse - Published: 2026-06-15 00:00 - Updated: 2026-06-15 00:00Summary
netty-4.1.135-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: netty-4.1.135-1.1 on GA media
Description of the patch: These are all security issues fixed in the netty-4.1.135-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-11033
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.8 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.7 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.7 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "netty-4.1.135-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the netty-4.1.135-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11033",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11033-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44249 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44249/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44250 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44250/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44890 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44890/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44893 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44893/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45416 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45416/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45536 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45673 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45673/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45674 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45674/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46340 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46340/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-47244 page",
"url": "https://www.suse.com/security/cve/CVE-2026-47244/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-47691 page",
"url": "https://www.suse.com/security/cve/CVE-2026-47691/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48006 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48006/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48043 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48043/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48059 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48059/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-50010 page",
"url": "https://www.suse.com/security/cve/CVE-2026-50010/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-50011 page",
"url": "https://www.suse.com/security/cve/CVE-2026-50011/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-50020 page",
"url": "https://www.suse.com/security/cve/CVE-2026-50020/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-50560 page",
"url": "https://www.suse.com/security/cve/CVE-2026-50560/"
}
],
"title": "netty-4.1.135-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-15T00:00:00Z",
"generator": {
"date": "2026-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11033-1",
"initial_release_date": "2026-06-15T00:00:00Z",
"revision_history": [
{
"date": "2026-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.135-1.1.aarch64",
"product": {
"name": "netty-4.1.135-1.1.aarch64",
"product_id": "netty-4.1.135-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.135-1.1.aarch64",
"product": {
"name": "netty-bom-4.1.135-1.1.aarch64",
"product_id": "netty-bom-4.1.135-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.135-1.1.aarch64",
"product": {
"name": "netty-javadoc-4.1.135-1.1.aarch64",
"product_id": "netty-javadoc-4.1.135-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.135-1.1.aarch64",
"product": {
"name": "netty-parent-4.1.135-1.1.aarch64",
"product_id": "netty-parent-4.1.135-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.135-1.1.ppc64le",
"product": {
"name": "netty-4.1.135-1.1.ppc64le",
"product_id": "netty-4.1.135-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.135-1.1.ppc64le",
"product": {
"name": "netty-bom-4.1.135-1.1.ppc64le",
"product_id": "netty-bom-4.1.135-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.135-1.1.ppc64le",
"product": {
"name": "netty-javadoc-4.1.135-1.1.ppc64le",
"product_id": "netty-javadoc-4.1.135-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.135-1.1.ppc64le",
"product": {
"name": "netty-parent-4.1.135-1.1.ppc64le",
"product_id": "netty-parent-4.1.135-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.135-1.1.s390x",
"product": {
"name": "netty-4.1.135-1.1.s390x",
"product_id": "netty-4.1.135-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.135-1.1.s390x",
"product": {
"name": "netty-bom-4.1.135-1.1.s390x",
"product_id": "netty-bom-4.1.135-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.135-1.1.s390x",
"product": {
"name": "netty-javadoc-4.1.135-1.1.s390x",
"product_id": "netty-javadoc-4.1.135-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.135-1.1.s390x",
"product": {
"name": "netty-parent-4.1.135-1.1.s390x",
"product_id": "netty-parent-4.1.135-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.135-1.1.x86_64",
"product": {
"name": "netty-4.1.135-1.1.x86_64",
"product_id": "netty-4.1.135-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.135-1.1.x86_64",
"product": {
"name": "netty-bom-4.1.135-1.1.x86_64",
"product_id": "netty-bom-4.1.135-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.135-1.1.x86_64",
"product": {
"name": "netty-javadoc-4.1.135-1.1.x86_64",
"product_id": "netty-javadoc-4.1.135-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.135-1.1.x86_64",
"product": {
"name": "netty-parent-4.1.135-1.1.x86_64",
"product_id": "netty-parent-4.1.135-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.135-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64"
},
"product_reference": "netty-4.1.135-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.135-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le"
},
"product_reference": "netty-4.1.135-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.135-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.135-1.1.s390x"
},
"product_reference": "netty-4.1.135-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.135-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64"
},
"product_reference": "netty-4.1.135-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.135-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64"
},
"product_reference": "netty-bom-4.1.135-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.135-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le"
},
"product_reference": "netty-bom-4.1.135-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.135-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x"
},
"product_reference": "netty-bom-4.1.135-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.135-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64"
},
"product_reference": "netty-bom-4.1.135-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.135-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64"
},
"product_reference": "netty-javadoc-4.1.135-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.135-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le"
},
"product_reference": "netty-javadoc-4.1.135-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.135-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x"
},
"product_reference": "netty-javadoc-4.1.135-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.135-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64"
},
"product_reference": "netty-javadoc-4.1.135-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.135-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64"
},
"product_reference": "netty-parent-4.1.135-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.135-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le"
},
"product_reference": "netty-parent-4.1.135-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.135-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x"
},
"product_reference": "netty-parent-4.1.135-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.135-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
},
"product_reference": "netty-parent-4.1.135-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-44249",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44249"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44249",
"url": "https://www.suse.com/security/cve/CVE-2026-44249"
},
{
"category": "external",
"summary": "SUSE Bug 1268165 for CVE-2026-44249",
"url": "https://bugzilla.suse.com/1268165"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-44249"
},
{
"cve": "CVE-2026-44250",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44250"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44250",
"url": "https://www.suse.com/security/cve/CVE-2026-44250"
},
{
"category": "external",
"summary": "SUSE Bug 1268169 for CVE-2026-44250",
"url": "https://bugzilla.suse.com/1268169"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-44250"
},
{
"cve": "CVE-2026-44890",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44890"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\\r\\n`. This exhausts the server\u0027s direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44890",
"url": "https://www.suse.com/security/cve/CVE-2026-44890"
},
{
"category": "external",
"summary": "SUSE Bug 1268170 for CVE-2026-44890",
"url": "https://bugzilla.suse.com/1268170"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-44890"
},
{
"cve": "CVE-2026-44893",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44893"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44893",
"url": "https://www.suse.com/security/cve/CVE-2026-44893"
},
{
"category": "external",
"summary": "SUSE Bug 1268244 for CVE-2026-44893",
"url": "https://bugzilla.suse.com/1268244"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-44893"
},
{
"cve": "CVE-2026-45416",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45416"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength \u003e maxClientHelloLength \u0026\u0026 maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45416",
"url": "https://www.suse.com/security/cve/CVE-2026-45416"
},
{
"category": "external",
"summary": "SUSE Bug 1268246 for CVE-2026-45416",
"url": "https://bugzilla.suse.com/1268246"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-45416"
},
{
"cve": "CVE-2026-45536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45536"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) - 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg-\u003ecmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking -\u003e EAGAIN -\u003e Java maps to 0 -\u003e read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45536",
"url": "https://www.suse.com/security/cve/CVE-2026-45536"
},
{
"category": "external",
"summary": "SUSE Bug 1268247 for CVE-2026-45536",
"url": "https://bugzilla.suse.com/1268247"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-45536"
},
{
"cve": "CVE-2026-45673",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45673"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty\u0027s DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45673",
"url": "https://www.suse.com/security/cve/CVE-2026-45673"
},
{
"category": "external",
"summary": "SUSE Bug 1268248 for CVE-2026-45673",
"url": "https://bugzilla.suse.com/1268248"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-45673"
},
{
"cve": "CVE-2026-45674",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45674"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty\u0027s DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45674",
"url": "https://www.suse.com/security/cve/CVE-2026-45674"
},
{
"category": "external",
"summary": "SUSE Bug 1268249 for CVE-2026-45674",
"url": "https://bugzilla.suse.com/1268249"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-45674"
},
{
"cve": "CVE-2026-46340",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46340"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46340",
"url": "https://www.suse.com/security/cve/CVE-2026-46340"
},
{
"category": "external",
"summary": "SUSE Bug 1268250 for CVE-2026-46340",
"url": "https://bugzilla.suse.com/1268250"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46340"
},
{
"cve": "CVE-2026-47244",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-47244"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-47244",
"url": "https://www.suse.com/security/cve/CVE-2026-47244"
},
{
"category": "external",
"summary": "SUSE Bug 1268251 for CVE-2026-47244",
"url": "https://bugzilla.suse.com/1268251"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-47244"
},
{
"cve": "CVE-2026-47691",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-47691"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty\u0027s `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record\u0027s name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain\u0027s key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain\u0027s key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-47691",
"url": "https://www.suse.com/security/cve/CVE-2026-47691"
},
{
"category": "external",
"summary": "SUSE Bug 1268252 for CVE-2026-47691",
"url": "https://bugzilla.suse.com/1268252"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-47691"
},
{
"cve": "CVE-2026-48006",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48006"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48006",
"url": "https://www.suse.com/security/cve/CVE-2026-48006"
},
{
"category": "external",
"summary": "SUSE Bug 1268255 for CVE-2026-48006",
"url": "https://bugzilla.suse.com/1268255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48006"
},
{
"cve": "CVE-2026-48043",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48043"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48043",
"url": "https://www.suse.com/security/cve/CVE-2026-48043"
},
{
"category": "external",
"summary": "SUSE Bug 1268257 for CVE-2026-48043",
"url": "https://bugzilla.suse.com/1268257"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48043"
},
{
"cve": "CVE-2026-48059",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48059"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path - no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48059",
"url": "https://www.suse.com/security/cve/CVE-2026-48059"
},
{
"category": "external",
"summary": "SUSE Bug 1268258 for CVE-2026-48059",
"url": "https://bugzilla.suse.com/1268258"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48059"
},
{
"cve": "CVE-2026-50010",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-50010"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE\u0027s internal AbstractTrustManagerWrapper nor Netty\u0027s own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm=\"HTTPS\" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-50010",
"url": "https://www.suse.com/security/cve/CVE-2026-50010"
},
{
"category": "external",
"summary": "SUSE Bug 1268259 for CVE-2026-50010",
"url": "https://bugzilla.suse.com/1268259"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-50010"
},
{
"cve": "CVE-2026-50011",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-50011"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-50011",
"url": "https://www.suse.com/security/cve/CVE-2026-50011"
},
{
"category": "external",
"summary": "SUSE Bug 1268260 for CVE-2026-50011",
"url": "https://bugzilla.suse.com/1268260"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-50011"
},
{
"cve": "CVE-2026-50020",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-50020"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00-0x1F and 0x7F) as well as all whitespace. RFC 9112 2.2 only asks servers to ignore empty CRLF lines preceding the request-line - a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-50020",
"url": "https://www.suse.com/security/cve/CVE-2026-50020"
},
{
"category": "external",
"summary": "SUSE Bug 1268261 for CVE-2026-50020",
"url": "https://bugzilla.suse.com/1268261"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-50020"
},
{
"cve": "CVE-2026-50560",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-50560"
}
],
"notes": [
{
"category": "general",
"text": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-50560",
"url": "https://www.suse.com/security/cve/CVE-2026-50560"
},
{
"category": "external",
"summary": "SUSE Bug 1268262 for CVE-2026-50560",
"url": "https://bugzilla.suse.com/1268262"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.135-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.135-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-50560"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…