Resource Leak Vulnerability in Netty's HTTP/2 Decompression Framework
CVE-2026-48043
5.3MEDIUM
What is CVE-2026-48043?
A resource leak vulnerability exists in the netty-codec-http2 component of the Netty framework, which is widely used for developing network applications. The flaw arises in the DelegatingDecompressorFrameListener class, responsible for handling HTTP/2 decompression. Due to improper management of decompressed data, a remote attacker can exploit this vulnerability by sending crafted frames, potentially leading to a resource leak. This flaw can overload the flow-controller and ultimately cause an OutOfMemoryError (OOME), destabilizing the entire Java Virtual Machine (JVM). Versions 4.1.135.Final and 4.2.15.Final have addressed this issue.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
