Netty netty-codec-http2 HTTP2 Decompressor Resource Leak pre 4.1.135/4.2.15
CVE-2026-48043 Published on June 12, 2026
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Vulnerability Analysis
CVE-2026-48043 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Types
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-48043 has been classified to as a Resource Exhaustion vulnerability or weakness.
What is a Memory Leak Vulnerability?
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
CVE-2026-48043 has been classified to as a Memory Leak vulnerability or weakness.
Products Associated with CVE-2026-48043
Want to know whenever a new CVE is published for Netty? stack.watch will email you.
Affected Versions
netty:- Version >= 4.2.0.Final, < 4.2.15.Final is affected.
- Version < 4.1.135.Final is affected.