Description
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.
Published: 2026-06-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s HTTP/3 codec contains a flaw that allows an attacker to create an infinite number of blocked streams, causing the application to consume increasing amounts of memory until it triggers an Out‑of‑Memory error. This memory exhaustion can crash or otherwise destabilize a Netty‑based server, resulting in a denial of service. The weakness is classified as CWE‑770, Memory Allocation.

Affected Systems

The vulnerability impacts the Netty network application framework, specifically versions released before 4.2.15.Final. All deployments that use Netty’s HTTP/3 codec and have not applied the 4.2.15.Final update are susceptible.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is considered high severity. EPSS indicates a very low probability of exploitation (<1%), and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote client that sends crafted HTTP/3 traffic to the vulnerable Netty server, but the description does not explicitly state the vector, so this is inferred from the impact of incoming blocked streams.

Generated by OpenCVE AI on June 12, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to 4.2.15.Final or later, ensuring the HTTP/3 codec patch is in place.
  • Limit the number of concurrent blocked streams or overall memory usage in your Netty configuration to mitigate resource exhaustion.
  • Apply network-level filtering or rate limiting to reduce the volume of HTTP/3 traffic that can be processed during an attack.

Generated by OpenCVE AI on June 12, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.
Title Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:45:04.763Z

Reserved: 2026-05-22T19:10:35.747Z

Link: CVE-2026-48748

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:30.913

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-48748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling