netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Summary
| CVE | CVE-2026-48043 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-12 16:16:30 UTC |
| Updated | 2026-07-03 13:17:23 UTC |
| Description | Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.006090000 probability, percentile 0.444370000 (date 2026-06-20)
Problem Types: CWE-400 | CWE-401 | CWE-772 | CWE-400 CWE-400: Uncontrolled Resource Consumption | CWE-401 CWE-401: Missing Release of Memory after Effective Lifetime | CWE-772 Missing Release of Resource after Effective Lifetime
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Netty | Netty | affected >= 4.2.0.Final, < 4.2.15.Final | Not specified |
| CNA | Netty | Netty | affected < 4.1.135.Final | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 3.33 For Quarkus 3.33.2.SP1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.27.4.SP1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.33.2.SP1 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 2.9.4 | Not specified | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel - HawtIO 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4 For Quarkus 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel For Spring Boot 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Debezium 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:26018 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26017 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/releases/tag/netty-4.1.135.Final | [email protected] | github.com | Release Notes |
| access.redhat.com/security/cve/CVE-2026-48043 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48043.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j | [email protected] | github.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26586 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/releases/tag/netty-4.2.15.Final | [email protected] | github.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-12T16:02:56.371Z | Reported to Red Hat. |
| ADP | 2026-06-12T14:39:52.498Z | Made public. |
Solutions
ADP: RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1
ADP: RHSA-2026:26018: Red Hat build of Quarkus 3.27.4.SP1
ADP: RHSA-2026:26017: Red Hat build of Quarkus 3.33.2.SP1
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.