CVE-2026-48043
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk44th percentile - higher than 44% of all known CVEs
Summary
In the Netty library, in the netty-codec-http2 component prior to versions 4.1.135.Final and 4.2.15.Final, a resource leak vulnerability was found in the `DelegatingDecompressorFrameListener` class. A remote attacker can send specially crafted HTTP/2 frames that cause the flow controller to throw an exception, leading to improper release of pooled `ByteBuf` buffers and eventually to JVM memory exhaustion.
Risk Assessment
The risk for the organization is the possibility of a denial-of-service (DoS) attack via remote memory leak, which can crash the entire JVM and disrupt application availability.
Recommendation
Immediately update the Netty library to version 4.1.135.Final or 4.2.15.Final, which contain the fix for this vulnerability.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

