CVE-2026-48043— netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48043
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Source: NVD (National Vulnerability Database)
Vulnerability Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48043
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48043
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48043 (1)
Vendor Pages for CVE-2026-48043 (2)
Same Patch Batch · netty · 2026-06-12 · 19 CVEs total
| CVE-2026-45674 | 8.7 HIGH | Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records |
| CVE-2026-47691 | 8.7 HIGH | Netty has Insufficient Bailiwick Validation for NS Records |
| CVE-2026-44892 | 7.5 HIGH | Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounde |
| CVE-2026-44894 | 7.5 HIGH | Netty's Default QUIC token handler accepts any client-supplied token |
| CVE-2026-44893 | 7.5 HIGH | Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length |
| CVE-2026-46340 | 7.5 HIGH | Netty: SCTP reassembly nests buffers without bound |
| CVE-2026-50011 | 7.5 HIGH | Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length |
| CVE-2026-50010 | 7.5 HIGH | Netty's wrapping plain trust manager silently disables hostname verification |
| CVE-2026-48748 | 7.5 HIGH | Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion |
| CVE-2026-45416 | 7.5 HIGH | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes |
| CVE-2026-45673 | 6.8 MEDIUM | Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port |
| CVE-2026-50020 | 5.3 MEDIUM | Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRL |
| CVE-2026-47244 | 5.3 MEDIUM | Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced |
| CVE-2026-50009 | 4.8 MEDIUM | Netty QUIC stateless reset token material exposed through header-visible connection IDs |
| CVE-2026-45536 | 4.0 MEDIUM | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once |
| CVE-2026-48006 | Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator | |
| CVE-2026-50560 | Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature | |
| CVE-2026-48059 | Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memo |
IV. Related Vulnerabilities
Same product: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he
Same vendor: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he
Same weakness: CWE-400
- CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-5079
multer vulnerable to Denial of Service via deeply nested fie - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-47244
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enfo - CVE-2026-50645
Apache CXF: No restriction on attachment headers per message
V. Comments for CVE-2026-48043
No comments yet