Netty IpSubnetFilterRule IPv6 Bypass < 4.1.135/4.2.15
CVE-2026-44249 Published on June 11, 2026
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Vulnerability Analysis
CVE-2026-44249 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-44249 has been classified to as an Authorization vulnerability or weakness.
Incorrect Comparison
The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Products Associated with CVE-2026-44249
Want to know whenever a new CVE is published for Netty? stack.watch will email you.
Affected Versions
netty:- Version >= 4.2.0.Final, < 4.2.15.Final is affected.
- Version < 4.1.135.Final is affected.