netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

GHSA-c2gf-v879-257j · CVE-2026-48043

Published Jun 11, 2026 · Modified Jun 12, 2026

Description

Impact

The DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf handed to an anonymous ChannelInboundHandlerAdapter tail handler, which becomes the sole owner responsible for releasing it.

A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME.

References

WEB https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-48043
PACKAGE https://github.com/netty/netty
WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes