UBUNTU-CVE-2025-58057

Advisory lineage Upstream: 1 Downstream: 1
Upstream
CVE-2025-58057
Downstream
USN-7918-1
Published: 04 Sept 2025, 10:42
Last modified:04 Feb 2026, 16:05

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Sept 2025, 10:42
Published
Vulnerability first disclosed
04 Feb 2026, 16:05
Last Modified
Vulnerability information updated

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

CVSS Metrics

  • v4.0MEDIUMScore: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

  • ubuntunetty

    all | < 1:4.1.7-4ubuntu0.1+esm5 | < 1:4.1.45-1ubuntu0.1~esm4 | < 1:4.1.48-4+deb11u2ubuntu0.1 | < 1:4.1.48-9ubuntu0.1 | < 1:4.1.48-10ubuntu0.25.10.2

References (5)