CVE-2026-44249: Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

June 8, 2026 (updated June 12, 2026)

An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

References

github.com/advisories/GHSA-3qp7-7mw8-wx86
github.com/netty/netty/releases/tag/netty-4.1.135.Final
github.com/netty/netty/releases/tag/netty-4.2.15.Final
github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86
nvd.nist.gov/vuln/detail/CVE-2026-44249

Code Behaviors & Features

Detect and mitigate CVE-2026-44249 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →