CVE-2026-48059: Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Published Jun 11, 2026
·
Updated

Impact The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2TYPESSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.

Other sources

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2TYPESSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

MITRE

Affected Software

4 affected componentsFixes available
maven/io.netty:netty-codec-haproxy<=4.1.134.Final
4.1.135.Final
maven/io.netty:netty-codec-haproxy>=4.2.0.Final<=4.2.14.Final
4.2.15.Final
Netty Netty<4.1.135
Netty Netty>=4.2.0<4.2.15

Event History

Jun 11, 2026
Advisory Published
via GitHub·08:19 PM
Data Sourced
via GitHub·08:19 PM
DescriptionWeaknessAffected Software
Jun 12, 2026
CVE Published
via MITRE·02:42 PM
Data Sourced
via MITRE·02:42 PM
DescriptionWeakness
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-48059?

CVE-2026-48059 is classified as having a high severity with a CVSS score of 8.7.

2

How do I fix CVE-2026-48059?

To address CVE-2026-48059, upgrade to the latest version of the Netty HAProxy codec, specifically version 4.1.135 or 4.2.15 or later.

3

What causes CVE-2026-48059?

CVE-2026-48059 is caused by an unbalanced reference count during the parsing of nested PP2_TYPE_SSL TLVs in the HAProxy PROXY protocol v2 codec.

4

What are the consequences of CVE-2026-48059?

The consequences of CVE-2026-48059 include potential memory exhaustion leading to Denial of Service if exploited by attackers.

5

What software is affected by CVE-2026-48059?

CVE-2026-48059 affects the maven/io.netty:netty-codec-haproxy software.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203