Skip to main content

Netty EUVD-2026-36459

| CVE-2026-48748 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-12 GitHub_M GHSA-4grm-h2qv-h6w6
Denial Of Service Netty Red Hat
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated QUIC peer triggers unbounded allocation causing OOM; availability-only impact, no confidentiality or integrity loss, no user interaction.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 16:17 vuln.today
Analysis Generated
Jun 12, 2026 - 16:17 vuln.today

DescriptionCVE.org

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.

AnalysisAI

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote unauthenticated attackers to exhaust server memory by triggering creation of an unbounded number of blocked streams, leading to an OutOfMemoryError. The flaw affects any Java application or service using Netty as an HTTP/3 server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Netty service advertising HTTP/3 (Alt-Svc h3)
Delivery
Open QUIC connection to UDP/443
Exploit
Repeatedly open new request streams kept in blocked state
Execution
Codec allocates unbounded blocked-stream state
Persist
JVM heap exhausted, OutOfMemoryError thrown
Impact
Netty process crashes or stalls, service unavailable
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target service must have the Netty HTTP/3 codec (io.netty:netty-codec-http3) explicitly enabled and listening - HTTP/3 is not a default transport in Netty-based applications, so a server only serving HTTP/1.1 or HTTP/2 is not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real but specifically scoped DoS issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a public-facing Netty HTTP/3 endpoint opens a single QUIC connection and repeatedly initiates new request streams that the server places into a blocked state (e.g., by withholding required flow-control or QPACK dependency progress). Because the codec does not cap blocked-stream allocations, the server's JVM heap grows until an OutOfMemoryError crashes the process or makes it unresponsive, denying service to legitimate users. …
Remediation Vendor-released patch: upgrade io.netty:netty-codec-http3 (and aligned Netty modules) to 4.2.15.Final or later, per https://github.com/netty/netty/releases/tag/netty-4.2.15.Final and GHSA-4grm-h2qv-h6w6. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all deployments of io.netty:netty-codec-http3 and identify which systems expose HTTP/3 endpoints; disable HTTP/3 protocol where operationally feasible to eliminate attack surface. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50010 HIGH
7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
CVE-2026-50011 HIGH POC
7.5 Jun 12

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot
CVE-2026-50560 MEDIUM POC
6.9 Jun 12

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack fu
CVE-2026-50020 MEDIUM POC
5.3 Jun 12

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipu
CVE-2026-50009 MEDIUM
4.8 Jun 12

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an

Vendor StatusVendor

Share

EUVD-2026-36459 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy