CVE-2023-34462
CVE-2023-34462 is a medium-severity vulnerability in Netty with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-770.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 2% (82nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-770
- Affected product: Netty
- Published:
- Last modified:
Description
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
Frequently asked questions
- What is CVE-2023-34462?
- Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
- How severe is CVE-2023-34462?
- CVE-2023-34462 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2023-34462 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (82nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-34462?
- CVE-2023-34462 affects Netty. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-34462?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-34462 published?
- CVE-2023-34462 was published on 2023-06-22 and last updated on 2026-06-17.
References
- https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
- https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
- https://security.netapp.com/advisory/ntap-20230803-0001/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.debian.org/security/2023/dsa-5558
Affected products (1)
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
More vulnerabilities in Netty
- CVE-2019-20445 — Critical (CVSS 9.1): HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second…
- CVE-2019-20444 — Critical (CVSS 9.1): HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a…
- CVE-2026-47691 — High (CVSS 8.7): Netty is a network application framework for development of protocol servers and clients. Prior to versions…
- CVE-2026-45674 — High (CVSS 8.7): Netty is a network application framework for development of protocol servers and clients. Prior to versions…
- CVE-2026-44249 — High (CVSS 8.1): Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to…
- CVE-2026-50011 — High (CVSS 7.5): Netty is a network application framework for development of protocol servers and clients. Prior to versions…
Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities
- CVE-2026-31283 — Critical (CVSS 9.8): In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email…
- CVE-2020-37067 — Critical (CVSS 9.8): Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers…
- CVE-2021-47875 — Critical (CVSS 9.8): GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the…
- CVE-2025-11832 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access…
- CVE-2024-44241 — Critical (CVSS 9.8): The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia…
- CVE-2022-3439 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
Browse all CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities →