Search for vulnerabilities
Vulnerability details: VCID-abq9-s6ra-m3gv
Vulnerability ID VCID-abq9-s6ra-m3gv
Aliases CVE-2022-41881
GHSA-fx2c-96vj-985v
Summary Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-674 Uncontrolled Recursion
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41881.json
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2022-41881
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-fx2c-96vj-985v
cvssv3.1 5.3 https://github.com/netty/netty
generic_textual MODERATE https://github.com/netty/netty
cvssv3.1 5.3 https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
cvssv3.1_qr MODERATE https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
generic_textual MODERATE https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
cvssv3.1 5.3 https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2022-41881
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-41881
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-41881
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20230113-0004
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20230113-0004
cvssv3.1 5.3 https://www.debian.org/security/2023/dsa-5316
generic_textual MODERATE https://www.debian.org/security/2023/dsa-5316
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41881.json
https://api.first.org/data/v1/epss?cve=CVE-2022-41881
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41881
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41915
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/netty/netty
https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
https://nvd.nist.gov/vuln/detail/CVE-2022-41881
https://security.netapp.com/advisory/ntap-20230113-0004
https://security.netapp.com/advisory/ntap-20230113-0004/
https://www.debian.org/security/2023/dsa-5316
1027180 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027180
2153379 https://bugzilla.redhat.com/show_bug.cgi?id=2153379
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
GHSA-fx2c-96vj-985v https://github.com/advisories/GHSA-fx2c-96vj-985v
RHSA-2023:0577 https://access.redhat.com/errata/RHSA-2023:0577
RHSA-2023:0713 https://access.redhat.com/errata/RHSA-2023:0713
RHSA-2023:0758 https://access.redhat.com/errata/RHSA-2023:0758
RHSA-2023:0888 https://access.redhat.com/errata/RHSA-2023:0888
RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
RHSA-2023:2705 https://access.redhat.com/errata/RHSA-2023:2705
RHSA-2023:2706 https://access.redhat.com/errata/RHSA-2023:2706
RHSA-2023:2707 https://access.redhat.com/errata/RHSA-2023:2707
RHSA-2023:2710 https://access.redhat.com/errata/RHSA-2023:2710
RHSA-2023:2713 https://access.redhat.com/errata/RHSA-2023:2713
RHSA-2023:3373 https://access.redhat.com/errata/RHSA-2023:3373
RHSA-2023:3374 https://access.redhat.com/errata/RHSA-2023:3374
RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
RHSA-2025:1746 https://access.redhat.com/errata/RHSA-2025:1746
RHSA-2025:1747 https://access.redhat.com/errata/RHSA-2025:1747
USN-6049-1 https://usn.ubuntu.com/6049-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41881.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/netty/netty
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41881
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41881
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20230113-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.debian.org/security/2023/dsa-5316
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.23709
EPSS Score 0.00077
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:12:17.010717+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/6049-1/ 36.1.3