CVE-2026-48043
Undergoing Analysis Undergoing Analysis - In Progress
HTTP/2 Decompression Resource Leak in Netty

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-48043
EUVD
EUVD-2026-36494
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty-codec-http2 to 4.2.15.Final (exc)
netty netty-codec-http2 to 4.2.14.Final (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48043 is a vulnerability in the Netty library's HTTP/2 codec component (netty-codec-http2) affecting versions up to 4.1.134.Final and 4.2.14.Final. The issue is a ByteBuf reference-count leak in the DelegatingDecompressorFrameListener class, which manages HTTP/2 decompression by using an EmbeddedChannel to run decompression codecs like gzip, deflate, and zstd.

A remote peer can send specially crafted frames that cause the flow controller to throw an error, triggering a resource leak. This leak can accumulate and eventually exhaust memory, potentially crashing the Java Virtual Machine (JVM) with an OutOfMemoryError.

The vulnerability has a moderate severity with a CVSS score of 5.3 and was fixed in versions 4.1.135.Final and 4.2.15.Final.

Impact Analysis

This vulnerability can lead to a resource leak in the flow controller of the Netty HTTP/2 codec, which may cause memory exhaustion.

As a result, the Java Virtual Machine (JVM) running the affected application could crash due to an OutOfMemoryError, leading to denial of service or application downtime.

The vulnerability requires no privileges or user interaction to be exploited, making it easier for a remote attacker to trigger the issue.

Detection Guidance

This vulnerability involves a resource leak triggered by specially crafted HTTP/2 frames sent by a remote peer, which can lead to JVM OutOfMemoryError (OOME). Detection would involve monitoring for unusual memory usage patterns or JVM crashes related to OOME in applications using vulnerable versions of netty-codec-http2.

Since the issue is triggered by HTTP/2 decompression frames, network detection could include inspecting HTTP/2 traffic for anomalous or malformed frames that might exploit the DelegatingDecompressorFrameListener.

However, no specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade the netty-codec-http2 library to versions 4.1.135.Final or 4.2.15.Final or later, where the vulnerability has been patched.

Until the upgrade can be applied, monitoring JVM memory usage and setting appropriate resource limits or alerts to detect potential OutOfMemoryError conditions may help mitigate impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart