CVE-2026-42583: Netty Lz4FrameDecoder Vulnerability Exposes Apps to DoS

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-400cwe-770
CVE-2026-42583: Netty Lz4FrameDecoder Vulnerability Exposes Apps to DoS

The National Vulnerability Database has detailed CVE-2026-42583, a high-severity vulnerability (CVSS 7.5) affecting Netty, an asynchronous network application framework. The flaw resides in the Lz4FrameDecoder, where it allocates a ByteBuf of up to 32 MB per block before LZ4 decompression runs. An attacker can trigger this massive allocation with a mere 21-byte header and a minimal payload.

This pre-allocation vulnerability creates a significant denial-of-service (DoS) risk. A remote, unauthenticated attacker can exploit this by sending specially crafted, small requests, forcing the server to consume vast amounts of memory. This can quickly exhaust system resources, making the application unresponsive to legitimate users. The National Vulnerability Database indicates this directly impacts the availability of affected systems.

Netty versions prior to 4.2.13.Final and 4.1.133.Final are vulnerable. Defenders must prioritize patching to these fixed versions immediately. This is a classic resource exhaustion attack, simple to execute and potentially devastating for critical applications relying on Netty.

What This Means For You

  • If your applications utilize Netty, specifically versions prior to 4.2.13.Final or 4.1.133.Final, you are directly exposed to a remote denial-of-service attack via CVE-2026-42583. Prioritize patching to the fixed versions immediately to prevent resource exhaustion and ensure application availability. Audit your dependency trees to identify all instances of Netty.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42583: Netty Lz4FrameDecoder Excessive Allocation Attempt

Sigma YAML — free preview 
title: CVE-2026-42583: Netty Lz4FrameDecoder Excessive Allocation Attempt
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
  This rule detects potential exploitation attempts against CVE-2026-42583. The vulnerability in Netty's Lz4FrameDecoder allows an attacker to trigger excessive memory allocation by sending a crafted LZ4 compressed payload. This detection looks for POST requests to common Netty ports (e.g., 8080) containing 'LZ4' in the query string, which could indicate an attempt to exploit this DoS vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42583/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - 'LZ4'
      cs-method|exact:
          - 'POST'
  selection_base:
      sc-status|exact:
          - '200'
      dst_port|exact:
          - '8080'
      src_ip|not:
          - '127.0.0.1'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42583 DoS Netty Lz4FrameDecoder prior to versions 4.2.13.Final and 4.1.133.Final
CVE-2026-42583 DoS Netty Lz4FrameDecoder vulnerable to excessive ByteBuf allocation (up to 32 MB per block) via small payload

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma