CVE-2026-44249 — Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Description

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

How to fix CVE-2026-44249

To remediate CVE-2026-44249, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 4.2.15.Final or later

Is CVE-2026-44249 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-44249.

Affected packages (2)

from 0
>= 4.2.0.Final, < 4.2.15.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-44249
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-44249
PATCHgithub.com/netty/netty
WEBgithub.com/netty/netty/releases/tag/netty-4.1.135.Final
WEB