GHSA-5xrh-qmmq-w6chHighCVSS 7.5

Netty: SCTP reassembly nests buffers without bound

Published
June 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

For each non-complete SctpMessage fragment the handler does fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf)), wrapping the previous accumulator and the new slice into a new CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the complete flag can grow this structure indefinitely from tiny 1-byte DATA chunks.

🎯 Affected products2

  • maven/io.netty:netty-transport-sctp:>= 4.2.0.Final, <= 4.2.14.Final
  • maven/io.netty:netty-transport-sctp:<= 4.1.134.Final

🔗 References (4)