Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Summary

An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

Details

io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress) method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.

Impact

Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.

References

chrisvest published to netty/netty Jun 5, 2026

Published to the GitHub Advisory Database Jun 8, 2026

Reviewed Jun 8, 2026

Published by the National Vulnerability Database Jun 11, 2026

Last updated Jun 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Details

Impact

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Improper Access Control

Incorrect Comparison

CVE ID

GHSA ID

Source code

Credits

Uh oh!