CVE-2026-46340: Netty: SCTP reassembly nests buffers without bound

June 8, 2026

For each non-complete SctpMessage fragment the handler does fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf)), wrapping the previous accumulator and the new slice into a new CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the complete flag can grow this structure indefinitely from tiny 1-byte DATA chunks.

References

github.com/advisories/GHSA-5xrh-qmmq-w6ch
github.com/netty/netty/releases/tag/netty-4.1.135.Final
github.com/netty/netty/releases/tag/netty-4.2.15.Final
github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch
nvd.nist.gov/vuln/detail/CVE-2026-46340

Code Behaviors & Features

Detect and mitigate CVE-2026-46340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →