CVE-2026-48748— Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48748
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
Source: NVD (National Vulnerability Database)
Vulnerability Description
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48748
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 13583 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-48748
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48748 (1)
Vendor Pages for CVE-2026-48748 (1)
Same Patch Batch · netty · 2026-06-12 · 19 CVEs total
| CVE-2026-45674 | 8.7 HIGH | Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records |
| CVE-2026-47691 | 8.7 HIGH | Netty has Insufficient Bailiwick Validation for NS Records |
| CVE-2026-44892 | 7.5 HIGH | Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounde |
| CVE-2026-44894 | 7.5 HIGH | Netty's Default QUIC token handler accepts any client-supplied token |
| CVE-2026-44893 | 7.5 HIGH | Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length |
| CVE-2026-46340 | 7.5 HIGH | Netty: SCTP reassembly nests buffers without bound |
| CVE-2026-50011 | 7.5 HIGH | Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length |
| CVE-2026-50010 | 7.5 HIGH | Netty's wrapping plain trust manager silently disables hostname verification |
| CVE-2026-45416 | 7.5 HIGH | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes |
| CVE-2026-45673 | 6.8 MEDIUM | Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port |
| CVE-2026-48043 | 5.3 MEDIUM | netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Lea |
| CVE-2026-50020 | 5.3 MEDIUM | Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRL |
| CVE-2026-47244 | 5.3 MEDIUM | Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced |
| CVE-2026-50009 | 4.8 MEDIUM | Netty QUIC stateless reset token material exposed through header-visible connection IDs |
| CVE-2026-45536 | 4.0 MEDIUM | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once |
| CVE-2026-48006 | Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator | |
| CVE-2026-50560 | Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature | |
| CVE-2026-48059 | Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memo |
IV. Related Vulnerabilities
Same product: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he
Same vendor: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he
Same weakness: CWE-770
- CVE-2026-53522
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exh - CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-46340
Netty: SCTP reassembly nests buffers without bound - CVE-2026-45416
Netty: SNI handler pre-allocates up to 16 MiB from nine atta - CVE-2026-49347
Quest Bot: Ticket creation has no per-user open-ticket limit
V. Comments for CVE-2026-48748
No comments yet