Summary
Netty HAProxy: Unbalanced Reference Count in Nested PP2TYPESSL TLV Parsing Leads to Memory Exhaustion
Impact
The HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested PP2_TYPE_SSL TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path, no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the HAProxyMessage normally. Yet the underlying cumulation buffer (a pooled, potentially direct ByteBuf allocated by the channel) remains permanently pinned.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
io.netty:netty-codec-haproxy to 4.2.15.Final or later; io.netty:netty-codec-haproxy to 4.1.135.Final or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-48059? CVE-2026-48059 is a high-severity security vulnerability in io.netty:netty-codec-haproxy (maven), affecting versions >= 4.2.0.Final, <= 4.2.14.Final. It is fixed in 4.2.15.Final, 4.1.135.Final.
- Which versions of io.netty:netty-codec-haproxy are affected by CVE-2026-48059? io.netty:netty-codec-haproxy (maven) versions >= 4.2.0.Final, <= 4.2.14.Final is affected.
- Is there a fix for CVE-2026-48059? Yes. CVE-2026-48059 is fixed in 4.2.15.Final, 4.1.135.Final. Upgrade to this version or later.
- Is CVE-2026-48059 exploitable, and should I be worried? Whether CVE-2026-48059 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-48059 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-48059?
- Upgrade
io.netty:netty-codec-haproxyto 4.2.15.Final or later - Upgrade
io.netty:netty-codec-haproxyto 4.1.135.Final or later
- Upgrade