CVE-2026-42583: Netty Lz4FrameDecoder is vulnerable to resource exhaustion

May 7, 2026

Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation.

References

github.com/advisories/GHSA-mj4r-2hfc-f8p6
github.com/netty/netty
github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6
nvd.nist.gov/vuln/detail/CVE-2026-42583

Code Behaviors & Features

Detect and mitigate CVE-2026-42583 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →