Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s HTTP/2 codec used a delegating decompressor that created a per‑stream EmbeddedChannel. Decompressed data were pooled ByteBuf objects that the tail handler owned and had to release. If a remote peer sent frames that triggered a flow‑controller exception, the delegate would fail to release the buffer, resulting in a reference‑count leak. Over time, the leak can exhaust JVM heap and cause an out‑of‑memory error, terminating the process and making the service unavailable. The flaw is an uncontrolled resource consumption weakness (CWE‑400), an improper buffer management problem (CWE‑401), and a missing release of resources (CWE‑772).

Affected Systems

All releases of Netty that embed netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final are affected. Any application that incorporates Netty 4.1.x or 4.2.x for HTTP/2 handling is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1 % and the issue is not listed in CISA’s KEV catalog, suggesting a low likelihood of active exploitation. The attack vector is a remote attacker who can send crafted HTTP/2 frames to a Netty server; only service availability is compromised, with no reported confidentiality or integrity impact. While exploitation is considered unlikely, detection through memory usage and log monitoring can help identify attempts.

Generated by OpenCVE AI on June 13, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final, which removes the ByteBuf reference‑count leak.
  • If an immediate upgrade is not possible, reduce the impact by constraining the maximum frame size and flow control parameters in the HTTP/2 configuration to mitigate the likelihood that a malicious frame triggers a flow‑controller exception.
  • Continuously monitor JVM heap usage and application logs for signs of out‑of‑memory errors or rapid buffer growth; set automated alerts to detect potential exploitation attempts.

Generated by OpenCVE AI on June 13, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c2gf-v879-257j netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
History

Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Sat, 13 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

threat_severity

Important


Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Weaknesses CWE-400
CWE-401
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T12:04:41.872Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48043

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:48.932Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:30.587

Modified: 2026-06-15T01:56:42.963

Link: CVE-2026-48043

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T14:39:52Z

Links: CVE-2026-48043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T13:30:09Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime