GHSA-3qp7-7mw8-wx86HighCVSS 8.1

Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Published
June 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

Details

io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress) method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.

Impact

Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.

🎯 Affected products2

  • maven/io.netty:netty-handler:>= 4.2.0.Final, <= 4.2.14.Final
  • maven/io.netty:netty-handler:<= 4.1.134.Final

🔗 References (4)