Netty TLS ClientHello Memory Exhaustion Attack

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Casky was already ahead

This CVE exploits attack patterns that Casky's 312matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-45416 is a denial-of-service vulnerability in Netty's SslClientHelloHandler that exploits improper memory allocation during TLS handshake processing. When a ClientHello message spans multiple TLS records, the handler eagerly allocates a buffer based on the 24-bit handshake length field without properly validating it against maximum limits. An attacker can craft malicious TLS handshakes with oversized length values to trigger unbounded memory allocation, exhausting server resources and causing service disruption. This affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final, impacting any application using Netty as its network foundation—particularly protocol servers handling untrusted TLS connections.

Casky's 312 mapped security skills leverage Claude AI's extended reasoning to detect the resource exhaustion patterns underlying this vulnerability. Practitioners would observe detections aligned with MITRE ATT&CK technique TA0040 (Impact) through resource consumption monitoring and TA0011 (Command and Control) through anomalous TLS handshake patterns. The platform identifies suspicious indicators including: abnormally large ClientHello length declarations that exceed protocol norms, rapid sequential allocation failures correlating with memory pressure spikes, and TLS handshake records with mismatched length fields. By analyzing network traffic patterns and application behavior simultaneously, Casky helps practitioners pinpoint exploitation attempts before memory exhaustion occurs, distinguishing legitimate ClientHello fragmentation from deliberate resource exhaustion attacks.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

312 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-45416.

analyzing-android-malware-with-apktool

malware analysis · medium

Run

analyzing-apt-group-with-mitre-navigator

threat intelligence · low

Run

analyzing-bootkit-and-rootkit-samples

malware analysis · medium

Run

MITRE ATT&CK Techniques

TA0040 TA0011

Investigate the attack patterns behind CVE-2026-45416

Casky has 312 skills that investigate the attack patterns behind CVE-2026-45416. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn