Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When decoding HTTP/3 QPACK header blocks, Netty's QpackDecoder creates a new byte array for a literal string without first verifying that the encoded length is within the bounds of the available data. The wire format allows a very large length value to be encoded in only a few bytes, so a crafted message can cause an unbounded allocation. This overflow can exhaust memory resources and cause the application to crash or become unresponsive, representing a denial‑of‑service vulnerability (CWE‑770, CWE‑789).

Affected Systems

The flaw affects the Netty framework, specifically the io.netty:netty-codec-http3 and netty:netty implementations, before the 4.2.13.Final release. Any application that relies on these Netty components to process HTTP/3 traffic is potentially vulnerable.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, exploiting the ability to send crafted HTTP/3 header packets over the network; thus any node exposed to HTTP/3 traffic could be targeted. If an attacker can inject the oversized literal into the stream, the vulnerable decoder will perform the out‑of‑bounds allocation and trigger the denial of service. No conditions beyond the presence of a header literal longer than the remaining bytes are required, making exploitation relatively straightforward for an attacker who can influence the traffic.

Generated by OpenCVE AI on May 13, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.2.13.Final or later, which contains the QPACK decoder bounds check.
  • If an upgrade is not immediately possible, isolate the vulnerable service behind a firewall or reverse proxy that limits the size or rate of HTTP/3 header traffic to reduce the risk of memory exhaustion.
  • Add monitoring for abnormal memory usage and log unusually large HTTP/3 header values; consider setting JVM memory limits or turning off HTTP/3 support if the application can function without it.

Generated by OpenCVE AI on May 13, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2c5c-chwr-9hqw Netty HTTP/3 QPACK literal unbounded allocation
History

Mon, 18 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Io.netty
Io.netty netty-codec-http3
Netty
Netty netty
Vendors & Products Io.netty
Io.netty netty-codec-http3
Netty
Netty netty

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
Title Netty: HTTP/3 QPACK literal unbounded allocation
Weaknesses CWE-770
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Io.netty Netty-codec-http3
Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T19:35:35.549Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42582

cve-icon Vulnrichment

Updated: 2026-05-13T19:35:31.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:23.763

Modified: 2026-05-18T12:54:49.460

Link: CVE-2026-42582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:07Z

Weaknesses