EUVD-2026-36459
GHSA-4grm-h2qv-h6w6
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated QUIC peer triggers unbounded allocation causing OOM; availability-only impact, no confidentiality or integrity loss, no user interaction.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.
AnalysisAI
Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote unauthenticated attackers to exhaust server memory by triggering creation of an unbounded number of blocked streams, leading to an OutOfMemoryError. The flaw affects any Java application or service using Netty as an HTTP/3 server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target service must have the Netty HTTP/3 codec (io.netty:netty-codec-http3) explicitly enabled and listening - HTTP/3 is not a default transport in Netty-based applications, so a server only serving HTTP/1.1 or HTTP/2 is not exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a real but specifically scoped DoS issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a public-facing Netty HTTP/3 endpoint opens a single QUIC connection and repeatedly initiates new request streams that the server places into a blocked state (e.g., by withholding required flow-control or QPACK dependency progress). Because the codec does not cap blocked-stream allocations, the server's JVM heap grows until an OutOfMemoryError crashes the process or makes it unresponsive, denying service to legitimate users. … |
| Remediation | Vendor-released patch: upgrade io.netty:netty-codec-http3 (and aligned Netty modules) to 4.2.15.Final or later, per https://github.com/netty/netty/releases/tag/netty-4.2.15.Final and GHSA-4grm-h2qv-h6w6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all deployments of io.netty:netty-codec-http3 and identify which systems expose HTTP/3 endpoints; disable HTTP/3 protocol where operationally feasible to eliminate attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot
Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack fu
HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipu
Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today