GHSA-c2gf-v879-257j

Suggest an improvement
Source
https://github.com/advisories/GHSA-c2gf-v879-257j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c2gf-v879-257j/GHSA-c2gf-v879-257j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c2gf-v879-257j
Aliases
  • CVE-2026-48043
Downstream
Related
Published
2026-06-11T13:28:46Z
Modified
2026-06-12T19:45:11.448753879Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Details

Impact

The DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf handed to an anonymous ChannelInboundHandlerAdapter tail handler, which becomes the sole owner responsible for releasing it.

A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:28:46Z",
    "nvd_published_at": "2026-06-12T16:16:30Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-400",
        "CWE-401"
    ]
}
References

Affected packages

Maven / io.netty:netty-codec-http2

Package

Name
io.netty:netty-codec-http2
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec-http2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.135.Final

Affected versions

4.*
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final
4.1.115.Final
4.1.116.Final
4.1.117.Final
4.1.118.Final
4.1.119.Final
4.1.120.Final
4.1.121.Final
4.1.122.Final
4.1.123.Final
4.1.124.Final
4.1.125.Final
4.1.126.Final
4.1.127.Final
4.1.128.Final
4.1.129.Final
4.1.130.Final
4.1.131.Final
4.1.132.Final
4.1.133.Final
4.1.134.Final

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c2gf-v879-257j/GHSA-c2gf-v879-257j.json"
last_known_affected_version_range 
"<= 4.1.134.Final"

Maven / io.netty:netty-codec-http2

Package

Name
io.netty:netty-codec-http2
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec-http2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0.Alpha1
Fixed
4.2.15.Final

Affected versions

4.*
4.2.0.Alpha1
4.2.0.Alpha2
4.2.0.Alpha3
4.2.0.Alpha4
4.2.0.Alpha5
4.2.0.Beta1
4.2.0.RC1
4.2.0.RC2
4.2.0.RC3
4.2.0.RC4
4.2.0.Final
4.2.1.Final
4.2.2.Final
4.2.3.Final
4.2.4.Final
4.2.5.Final
4.2.6.Final
4.2.7.Final
4.2.8.Final
4.2.9.Final
4.2.10.Final
4.2.11.Final
4.2.12.Final
4.2.13.Final
4.2.14.Final

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c2gf-v879-257j/GHSA-c2gf-v879-257j.json"
last_known_affected_version_range 
"<= 4.2.14.Final"