GHSA-c2gf-v879-257j: netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
A vulnerability in the netty-codec-http2 library's DelegatingDecompressorFrameListener class can cause a ByteBuf reference-count leak, leading to memory exhaustion and potential JVM crash due to OutOfMemoryError. This occurs when a remote peer sends frames that trigger the flow-controller to throw an exception, causing a resource leak. The issue affects HTTP/2 decompression handling involving gzip, deflate, and zstd codecs. Red Hat has released security updates for their build of Quarkus that include fixes for this vulnerability.
AI Analysis
Technical Summary
The DelegatingDecompressorFrameListener class in netty-codec-http2 manages HTTP/2 decompression by using an EmbeddedChannel per stream to run decompression codecs and forward decompressed ByteBuf chunks to a listener. A flaw in this process allows a remote peer to send frames that cause the flow-controller to throw, resulting in a ByteBuf reference-count leak. This leak can accumulate, leading to memory exhaustion and potentially crashing the JVM with an OutOfMemoryError. The vulnerability is tracked as CVE-2026-48043 and has been addressed in updated versions of Red Hat's build of Quarkus by upgrading Netty to version 4.1.135.Final.
Potential Impact
The vulnerability causes a denial of service through memory exhaustion in applications using netty-codec-http2 for HTTP/2 decompression. Specifically, it can lead to an OutOfMemoryError and JVM crash due to a ByteBuf reference-count leak triggered by maliciously crafted HTTP/2 frames. There is no direct impact on confidentiality or integrity reported, only availability is affected.
Mitigation Recommendations
Red Hat has released security updates for their build of Quarkus (versions 3.27.4.SP1 and 3.33.2.SP1) that include an upgrade of Netty to version 4.1.135.Final, which contains the fix for this vulnerability. Users should apply these official updates to remediate the issue. No other mitigation or workaround is indicated in the vendor advisories.
GHSA-c2gf-v879-257j: netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Description
A vulnerability in the netty-codec-http2 library's DelegatingDecompressorFrameListener class can cause a ByteBuf reference-count leak, leading to memory exhaustion and potential JVM crash due to OutOfMemoryError. This occurs when a remote peer sends frames that trigger the flow-controller to throw an exception, causing a resource leak. The issue affects HTTP/2 decompression handling involving gzip, deflate, and zstd codecs. Red Hat has released security updates for their build of Quarkus that include fixes for this vulnerability.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The DelegatingDecompressorFrameListener class in netty-codec-http2 manages HTTP/2 decompression by using an EmbeddedChannel per stream to run decompression codecs and forward decompressed ByteBuf chunks to a listener. A flaw in this process allows a remote peer to send frames that cause the flow-controller to throw, resulting in a ByteBuf reference-count leak. This leak can accumulate, leading to memory exhaustion and potentially crashing the JVM with an OutOfMemoryError. The vulnerability is tracked as CVE-2026-48043 and has been addressed in updated versions of Red Hat's build of Quarkus by upgrading Netty to version 4.1.135.Final.
Potential Impact
The vulnerability causes a denial of service through memory exhaustion in applications using netty-codec-http2 for HTTP/2 decompression. Specifically, it can lead to an OutOfMemoryError and JVM crash due to a ByteBuf reference-count leak triggered by maliciously crafted HTTP/2 frames. There is no direct impact on confidentiality or integrity reported, only availability is affected.
Mitigation Recommendations
Red Hat has released security updates for their build of Quarkus (versions 3.27.4.SP1 and 3.33.2.SP1) that include an upgrade of Netty to version 4.1.135.Final, which contains the fix for this vulnerability. Users should apply these official updates to remediate the issue. No other mitigation or workaround is indicated in the vendor advisories.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-c2gf-v879-257j
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48043"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a50babc68715ace43586a1f
Added to database: 07/10/2026, 09:26:20 UTC
Last enriched: 07/10/2026, 10:20:55 UTC
Last updated: 07/10/2026, 10:20:55 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.