Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1:4.1.48-101:4.1.48-10ubuntu0.25.10.11:4.1.48-10ubuntu0.25.10.21:4.1.48-101:4.1.48-111:4.1.48-121:4.1.48-131:4.1.48-141:4.1.48-161:3.2.6.Final-21:3.2.6.Final-2+deb8u2build0.14.04.1~esm11:3.2.6.Final-21:4.0.32-11:4.0.33-11:4.0.34-11:4.0.34-1ubuntu0.1~esm11:4.0.34-1ubuntu0.1~esm21:4.0.34-1ubuntu0.1~esm31:4.1.7-41:4.1.7-4ubuntu0.11:4.1.7-4ubuntu0.1+esm11:4.1.7-4ubuntu0.1+esm21:4.1.7-4ubuntu0.1+esm31:4.1.7-4ubuntu0.1+esm41:4.1.7-4ubuntu0.1+esm51:4.1.7-4ubuntu0.1~esm11:4.1.33-11:4.1.33-21:4.1.33-31:4.1.45-11:4.1.45-1ubuntu0.1~esm11:4.1.45-1ubuntu0.1~esm21:4.1.45-1ubuntu0.1~esm31:4.1.45-1ubuntu0.1~esm41:4.1.48-41:4.1.48-4+deb11u1build0.22.04.11:4.1.48-4+deb11u2build0.22.04.11:4.1.48-4+deb11u2ubuntu0.11:4.1.48-4+deb11u2ubuntu0.1+esm11:4.1.48-4+deb11u2ubuntu0.1~esm11:4.1.48-4+deb11u2ubuntu0.1~esm21:4.1.48-71:4.1.48-81:4.1.48-91:4.1.48-9ubuntu0.11:4.1.48-9ubuntu0.1+esm11:4.1.48-9ubuntu0.1~esm11:4.1.48-9ubuntu0.1~esm2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:HCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H