CVE-2026-44248: Netty MQTT: Resource exhaustion in MqttDecoder

May 7, 2026 (updated May 14, 2026)

The MQTT 5 header Properties section is parsed and buffered before any message size limit is applied.

Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded.

Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion.

This can cause high resource usage in both CPU and memory.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-44248 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →