PatchSiren cyber security CVE debrief
CVE-2026-48043 netty CVE debrief
CVE-2026-48043 is a vulnerability in the Netty network application framework, specifically in the netty-codec-http2 component. The `DelegatingDecompressorFrameListener` class is susceptible to a resource leak due to improper handling of decompressed chunks. This could lead to an Out-of-Memory Error (OOME) and potentially take down the entire JVM. The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty's netty-codec-http2 component, particularly those using versions prior to 4.1.135.Final and 4.2.15.Final, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The `DelegatingDecompressorFrameListener` class in netty-codec-http2 orchestrates HTTP/2 decompression using a per-stream `EmbeddedChannel`. A remote peer can send frames that cause the flow-controller to throw, triggering a resource leak. This leak can lead to an Out-of-Memory Error (OOME) and potentially crash the JVM. The issue is patched in versions 4.1.135.Final and 4.2.15.Final.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final, or later.
- Implement additional monitoring and logging to detect potential resource leaks.
Evidence notes
The CVE record [cve-org] provides official details on the vulnerability. The NVD entry [nvd] offers additional information and analysis. GitHub releases [ref-4], [ref-5], and the advisory [ref-6] provide patched versions and more context.
Official resources
CVE-2026-48043 was published on 2026-06-12T16:16:30.587Z and modified on 2026-06-12T16:18:27.287Z.