Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s HTTP/2 codec used a delegating decompressor that created a per‑stream EmbeddedChannel. Decompressed data were pooled ByteBuf objects that the tail handler owned and had to release. If a remote peer sent frames that triggered a flow‑controller exception, the delegate would fail to release the buffer, resulting in a reference‑count leak. Over time, the leak can exhaust JVM heap and cause an out‑of‑memory error, terminating the process and making the service unavailable. The flaw is an uncontrolled resource consumption weakness (CWE‑400) and an improper buffer management problem (CWE‑401).

Affected Systems

All releases of Netty that embed netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final are affected. Any application that incorporates Netty 4.1.x or 4.2.x for HTTP/2 handling is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1 % and the issue is not listed in CISA’s KEV catalog, suggesting a low likelihood of active exploitation. The attack vector is a remote attacker who can send crafted HTTP/2 frames to a Netty server; only service availability is compromised, with no reported confidentiality or integrity impact. While exploitation is considered unlikely, detection through memory usage and log monitoring can help identify attempts.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final, which removes the ByteBuf reference‑count leak.
  • If an immediate upgrade is not possible, reduce the impact by constraining the maximum frame size and flow control parameters in the HTTP/2 configuration to mitigate the likelihood that a malicious frame triggers a flow‑controller exception.
  • Continuously monitor JVM heap usage and application logs for signs of out‑of‑memory errors or rapid buffer growth; set automated alerts to detect potential exploitation attempts.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c2gf-v879-257j netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Weaknesses CWE-400
CWE-401
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:59:56.498Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48043

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:30.587

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-48043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:00:07Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-401

    Missing Release of Memory after Effective Lifetime