Resource Leak Vulnerability in Netty's HTTP/2 Decompression Framework
CVE-2026-48043

5.3MEDIUM

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-48043?

A resource leak vulnerability exists in the netty-codec-http2 component of the Netty framework, which is widely used for developing network applications. The flaw arises in the DelegatingDecompressorFrameListener class, responsible for handling HTTP/2 decompression. Due to improper management of decompressed data, a remote attacker can exploit this vulnerability by sending crafted frames, potentially leading to a resource leak. This flaw can overload the flow-controller and ultimately cause an OutOfMemoryError (OOME), destabilizing the entire Java Virtual Machine (JVM). Versions 4.1.135.Final and 4.2.15.Final have addressed this issue.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.