Listen to this Post
This vulnerability exists in Netty’s handling of fragmented SCTP messages. The `SctpMessageCompletionHandler` reassembles incomplete fragments by nesting `CompositeByteBuf` objects without any bound.
For each incomplete fragment, the handler performs:
`fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`
This operation wraps the previous accumulator and the new fragment into a new CompositeByteBuf. As a result, after N fragments, the accumulator becomes an N‑deep chain of nested composites, each holding references and component arrays. Operations like `readableBytes()` or `getBytes()` then recursively traverse N levels, causing severe performance degradation.
There is no limit on N, on total buffered bytes, or on the number of stream identifiers an attacker can open (each stream gets its own map entry).
By never setting the `complete` flag on DATA chunks, a remote attacker can send an endless stream of tiny fragments (e.g., 1 byte each). This forces Netty to build an ever‑deepening chain of composites, eventually exhausting memory (OOM) and causing a denial of service.
The issue affects Netty versions:
- 4.2.0.Final through 4.2.14.Final
- up to 4.1.134.Final
Patched versions:
- 4.2.15.Final
- 4.1.135.Final
DailyCVE Form:
Platform: Netty framework
Version: 4.1.x ≤134, 4.2.x ≤14
Vulnerability : Unbounded recursion
Severity: High
date: 2026-06-05
Prediction: 2026-06-08
What Undercode Say:
bash
Check Netty version (Maven example)
mvn dependency:tree | grep netty
Simulate attack (conceptual)
echo -n “SCTP fragment without complete flag” | nc -u target 9899
Exploit:
A remote attacker sends a long series of incomplete SCTP DATA chunks, each 1 byte long and never sets the `complete` flag. The `SctpMessageCompletionHandler` nests these fragments into an ever‑growing chain of `CompositeByteBuf` objects, eventually causing an out‑of‑memory condition and crashing the JVM.
Protection:
- Upgrade to Netty 4.1.135.Final or 4.2.15.Final.
- If upgrading is not possible, limit the maximum allowed SCTP message size or implement a custom handler that caps fragment depth.
Impact:
- Denial of service (DoS) via memory exhaustion.
- Remote, unauthenticated attacker can crash the Netty server.
- Affects any application using Netty’s SCTP transport (e.g., IoT, telecom, custom protocols).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
