CVE-2025-24970 — SslHandler doesn't correctly validate packets which can lead to native crash whe

Description

### Impact When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. ### Workarounds As workaround its possible to either disable the usage of the native SSLEngine or changing the code from: ``` SslContext context = ...; SslHandler handler = context.newHandler(....); ``` to: ``` SslContext context = ...; SSLEngine engine = context.newEngine(....); SslHandler handler = new SslHandler(engine, ....); ```

How to fix CVE-2025-24970

To remediate CVE-2025-24970, upgrade the affected package to a fixed version below.

—upgrade to 4.1.118.Final or later

Is CVE-2025-24970 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.1.91.Final, < 4.1.118.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-24970
PATCHgithub.com/netty/netty
WEBgithub.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4
WEBgithub.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw