PatchSiren cyber security CVE debrief
CVE-2026-48748 netty CVE debrief
CVE-2026-48748 is a high-severity vulnerability in the Netty HTTP/3 codec that allows for memory exhaustion via the creation of an infinite number of blocked streams, potentially leading to an Out-of-Memory (OOM) error. This issue was patched in Netty version 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty prior to version 4.2.15.Final, especially those using the HTTP/3 codec, should be aware of this vulnerability and take steps to upgrade to the patched version.
Technical summary
The vulnerability, rated with a CVSS score of 7.5 and classified as HIGH, is caused by the improper handling of streams in the Netty HTTP/3 codec. This can lead to the creation of an infinite number of blocked streams, causing a memory exhaustion issue that can result in an OOM error.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Netty version 4.2.15.Final or later to patch the vulnerability.
Evidence notes
The CVE was published on 2026-06-12T16:16:30.913Z and last modified on 2026-06-12T16:18:27.287Z. The vulnerability was patched in Netty version 4.2.15.Final.
Official resources
CVE-2026-48748 was published on 2026-06-12T16:16:30.913Z and last modified on 2026-06-12T16:18:27.287Z.