Skip to main content

Netty netty-codec-http2 CVE-2026-48043

| EUVDEUVD-2026-36494 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-11 https://github.com/netty/netty GHSA-c2gf-v879-257j
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-accessible, unauthenticated, zero-interaction path; JVM termination via OOME represents complete availability loss, warranting A:H over the official A:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Severity Changed
Jun 15, 2026 - 02:07 NVD
MEDIUM HIGH
CVSS changed
Jun 15, 2026 - 02:07 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Source Code Evidence Fetched
Jun 11, 2026 - 13:58 vuln.today
Analysis Generated
Jun 11, 2026 - 13:58 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on io.netty:netty-codec-http2 (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.Alpha1.

DescriptionNVD

Impact

The DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf handed to an anonymous ChannelInboundHandlerAdapter tail handler, which becomes the sole owner responsible for releasing it.

A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME.

AnalysisAI

Remote memory exhaustion in Netty's netty-codec-http2 component allows unauthenticated remote peers to crash the JVM by triggering a ByteBuf reference-count leak in DelegatingDecompressorFrameListener. When crafted HTTP/2 frames cause the flow-controller to throw, pooled ByteBuf decompression chunks are not released, accumulating heap pressure until an OutOfMemoryError terminates the JVM. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the no-authentication, no-interaction attack path makes any internet-exposed HTTP/2 service using affected Netty versions susceptible to sustained DoS.

Technical ContextAI

Netty's HTTP/2 codec (io.netty:netty-codec-http2) handles content-encoded HTTP/2 DATA frames through DelegatingDecompressorFrameListener, which allocates a per-stream EmbeddedChannel to run gzip, deflate, or zstd decompression. Each decompressed chunk is a pooled ByteBuf passed to an anonymous ChannelInboundHandlerAdapter tail handler that holds sole ownership and is solely responsible for releasing the buffer's reference count. CWE-400 (Uncontrolled Resource Consumption) is the root cause: when the HTTP/2 flow-controller raises an exception during frame processing, the normal release path for these pooled buffers is skipped, creating a reference-count leak. Because Netty uses reference-counted pooled buffers for performance, repeated leaks accumulate unreleased native or heap memory, eventually triggering a JVM-level OutOfMemoryError. The affected Maven artifact is pkg:maven/io.netty:netty-codec-http2 across both the 4.1.x and 4.2.x release trains.

RemediationAI

Upgrade io.netty:netty-codec-http2 to 4.1.135.Final (for the 4.1.x line) or 4.2.15.Final (for the 4.2.x line) as released and documented in the GitHub advisory at https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j. These are vendor-confirmed fix versions. If an immediate upgrade is not feasible, a compensating control is to disable HTTP/2 content-encoding negotiation at the application or proxy layer so that compressed DATA frames are never processed by DelegatingDecompressorFrameListener; this trades decompression performance for removal of the vulnerable code path. Alternatively, place a reverse proxy (e.g., nginx or envoy) in front of the Netty service that terminates HTTP/2 and forwards HTTP/1.1 to the backend, eliminating the vulnerable codec entirely from the attack surface. Both workarounds require application-level testing to confirm no protocol negotiation regressions. JVM heap monitoring and alerting on rapid heap growth can serve as a detection control to identify exploitation attempts before an OOME occurs.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-48043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy