Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

CVE-2026-53429 (GCVE-0-2026-53429)

Vulnerability from cvelistv5 – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion. The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed. Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}. Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched. This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.11.0 , < 0.12.3 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
leandrocp mdex Affected: 81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4 (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
leandrocp mdex_native Affected: 0.1.0 , < 0.2.3 (semver)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
leandrocp mdex_native Affected: 956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6 (git)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53429",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T20:45:00.827777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T20:45:38.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/1"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.12.3",
              "status": "affected",
              "version": "0.11.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/1"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
              "status": "affected",
              "version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
              "versionType": "git"
            }
          ]
        },
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "mdex_native",
          "packageURL": "pkg:hex/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.2.3",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "leandrocp/mdex_native",
          "packageURL": "pkg:github/leandrocp/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
              "status": "affected",
              "version": "956528c5e31746253347029e810a969ab916fd27",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.12.3",
                  "versionStartIncluding": "0.11.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.2.3",
                  "versionStartIncluding": "0.1.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
            }
          ],
          "value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:38:14.140Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53429",
    "datePublished": "2026-06-29T19:07:16.954Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-30T04:38:14.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50254 (GCVE-0-2026-50254)

Vulnerability from cvelistv5 – Published: 2026-06-30 21:14 – Updated: 2026-07-01 15:40
VLAI
Title
OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime
Summary
An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing release of memory after effective lifetime
Assigner
Impacted products
Vendor Product Version
OFFIS DICOM DCMTK Toolkit Affected: 0 , ≤ 3.7.0 (custom)
Create a notification for this product.
Date Public
2026-06-30 17:20
Credits
Abhinav Agarwal reported this vulnerability to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50254",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T15:39:45.101630Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T15:40:16.809Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DCMTK Toolkit",
          "vendor": "OFFIS DICOM",
          "versions": [
            {
              "lessThanOrEqual": "3.7.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abhinav Agarwal reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2026-06-30T17:20:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it."
            }
          ],
          "value": "An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing release of memory after effective lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T21:14:01.154Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://github.com/DCMTK/dcmtk/releases/tag/latest"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-181-01.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The maintainer was notified of these vulnerabilities and has provided a fix. The fix is included in the latest commits and can be obtained in the following snapshot:\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003e\u003ca href=\"https://github.com/DCMTK/dcmtk/releases/tag/latest\"\u003ehttps://github.com/DCMTK/dcmtk/releases/tag/latest\u003c/a\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eUsers are recommended to download the latest GitHub release once it becomes available."
            }
          ],
          "value": "The maintainer was notified of these vulnerabilities and has provided a fix. The fix is included in the latest commits and can be obtained in the following snapshot:\n\n https://github.com/DCMTK/dcmtk/releases/tag/latest \n\n\n\n\nUsers are recommended to download the latest GitHub release once it becomes available."
        }
      ],
      "source": {
        "advisory": "ICSMA-26-181-01",
        "discovery": "EXTERNAL"
      },
      "title": "OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-50254",
    "datePublished": "2026-06-30T21:14:01.154Z",
    "dateReserved": "2026-06-22T17:03:25.973Z",
    "dateUpdated": "2026-07-01T15:40:16.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48141 (GCVE-0-2026-48141)

Vulnerability from cvelistv5 – Published: 2026-06-19 13:37 – Updated: 2026-06-22 19:28
VLAI
Title
Memory leak in NI grpc-device BeginSidebandStream
Summary
There is a memory leak in NI grpc-device BeginSidebandStream that may result in denial of service due to memory exhaustion.  This affects NI grpc-device 2.17.0 and prior versions.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing release of memory after effective lifetime
Assigner
NI
Impacted products
Vendor Product Version
NI grpc-device Affected: 0 , ≤ 2.17.0 (semver)
Create a notification for this product.
NI InstrumentStudio Affected: 0 , ≤ 26.3.0 (semver)
Create a notification for this product.
Credits
Sebastián Alba Vives (@Sebasteuo / 0xS4bb1)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48141",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T19:28:34.889070Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T19:28:43.707Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "grpc-device",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "2.17.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "InstrumentStudio",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "26.3.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ni:grpc-device:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "2.17.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ni:instrumentstudio:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "26.3.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sebasti\u00e1n Alba Vives (@Sebasteuo / 0xS4bb1)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is a memory leak in NI grpc-device BeginSidebandStream that may result in denial of service due to memory exhaustion.\u0026nbsp; This affects NI grpc-device 2.17.0 and prior versions.\u0026nbsp;\u003c/p\u003e"
            }
          ],
          "value": "There is a memory leak in NI grpc-device BeginSidebandStream that may result in denial of service due to memory exhaustion.\u00a0 This affects NI grpc-device 2.17.0 and prior versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-131",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-131 Resource Leak Exposure"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing release of memory after effective lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T13:37:50.361Z",
        "orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
        "shortName": "NI"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/multiple-vulnerabilities-in-ni-grpc-device-server.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/ni/grpc-device/security/advisories/GHSA-j4qc-5v3f-rf87"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Memory leak in NI grpc-device BeginSidebandStream",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
    "assignerShortName": "NI",
    "cveId": "CVE-2026-48141",
    "datePublished": "2026-06-19T13:37:50.361Z",
    "dateReserved": "2026-05-20T19:51:56.936Z",
    "dateUpdated": "2026-06-22T19:28:43.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48059 (GCVE-0-2026-48059)

Vulnerability from cvelistv5 – Published: 2026-06-12 14:42 – Updated: 2026-07-15 00:48
VLAI
Title
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
Summary
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
  • CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
Impacted products
Vendor Product Version
netty netty Affected: >= 4.2.0.Final, < 4.2.15.Final
Affected: < 4.1.135.Final
Create a notification for this product.
Red Hat Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1 Unaffected: codec-haproxy , < * (rpm)
    cpe:/a:redhat:apache_camel_quarkus:3.33
Create a notification for this product.
Red Hat Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16 Unaffected: codec-haproxy , < * (rpm)
    cpe:/a:redhat:apache_camel_spring_boot:4.18
Create a notification for this product.
Red Hat Red Hat build of Quarkus 3.27.4.SP1 Unaffected: codec-haproxy , < * (rpm)
    cpe:/a:redhat:quarkus:3.27::el8
Create a notification for this product.
Red Hat Red Hat build of Quarkus 3.33.2.SP1 Unaffected: codec-haproxy , < * (rpm)
    cpe:/a:redhat:quarkus:3.33::el8
Create a notification for this product.
Red Hat Streams for Apache Kafka 2.9.4 Unaffected: codec-haproxy , < * (rpm)
    cpe:/a:redhat:amq_streams:2.9::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.29 Unaffected: 1782989027 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.29::el9
Create a notification for this product.
Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
Create a notification for this product.
Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
Create a notification for this product.
Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
Create a notification for this product.
Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
Create a notification for this product.
Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
Create a notification for this product.
Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
Create a notification for this product.
Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
Create a notification for this product.
Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
Create a notification for this product.
Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
Create a notification for this product.
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
Create a notification for this product.
Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48059",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T16:14:17.314653Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T16:19:45.689Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_quarkus:3.33"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-haproxy",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_spring_boot:4.18"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-haproxy",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quarkus:3.27::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Quarkus 3.27.4.SP1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-haproxy",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quarkus:3.33::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Quarkus 3.33.2.SP1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-haproxy",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_streams:2.9::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Streams for Apache Kafka 2.9.4",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-haproxy",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.29::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/multicluster-redirector-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.29",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1782989027",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:cryostat:4"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Cryostat 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-ekb-receiver-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_broker:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat AMQ Broker 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:camel_quarkus:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_hawtio:4"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat build of Apache Camel - HawtIO 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apicurio_registry:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat build of Apicurio Registry 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:debezium:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat build of Debezium 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk/keycloak-rhel9",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk/keycloak-rhel9-operator",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk-rhel9-operator/rhbk-rhel9-operator",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat JBoss Enterprise Application Platform 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-openvino-model-server-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-trustyai-service-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "unaffected",
            "packageName": "candlepin",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_single_sign_on:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "netty-codec-haproxy",
            "product": "Red Hat Single Sign-On 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_streams:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-haproxy",
            "product": "streams for Apache Kafka 3",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-12T14:42:44.677Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in the Netty HAProxy PROXY protocol v2 codec. A remote attacker can exploit this vulnerability by sending a specially crafted HAProxy PROXY protocol v2 header with nested `PP2_TYPE_SSL` type-length-value (TLV) records. This can lead to a memory leak, causing the underlying cumulation buffer to remain permanently pinned and potentially resulting in a Denial of Service (DoS) due to resource exhaustion."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1286",
                "description": "Improper Validation of Syntactic Correctness of Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T00:48:26.438Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-48059"
          },
          {
            "name": "RHBZ#2488437",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488437"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48059.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26586"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36820"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:37390"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26018"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26017"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:34608"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:37390: Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26018: Red Hat build of Quarkus 3.27.4.SP1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26017: Red Hat build of Quarkus 3.33.2.SP1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-12T16:02:40.032Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-12T14:42:44.677Z",
            "value": "Made public."
          }
        ],
        "title": "netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Final, \u003c 4.2.15.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.135.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path \u2014 no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T14:42:44.677Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        }
      ],
      "source": {
        "advisory": "GHSA-h2qv-fj59-j46j",
        "discovery": "UNKNOWN"
      },
      "title": "Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48059",
    "datePublished": "2026-06-12T14:42:44.677Z",
    "dateReserved": "2026-05-20T18:25:25.707Z",
    "dateUpdated": "2026-07-15T00:48:26.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48043 (GCVE-0-2026-48043)

Vulnerability from cvelistv5 – Published: 2026-06-12 14:39 – Updated: 2026-07-15 00:48
VLAI
Title
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Summary
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-401 - Missing Release of Memory after Effective Lifetime
  • CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
Impacted products
Vendor Product Version
netty netty Affected: >= 4.2.0.Final, < 4.2.15.Final
Affected: < 4.1.135.Final
Create a notification for this product.
Red Hat Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1 Unaffected: codec-http2 , < * (rpm)
    cpe:/a:redhat:apache_camel_quarkus:3.33
Create a notification for this product.
Red Hat Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16 Unaffected: codec-http2 , < * (rpm)
    cpe:/a:redhat:apache_camel_spring_boot:4.18
Create a notification for this product.
Red Hat Red Hat build of Quarkus 3.27.4.SP1 Unaffected: codec-http2 , < * (rpm)
    cpe:/a:redhat:quarkus:3.27::el8
Create a notification for this product.
Red Hat Red Hat build of Quarkus 3.33.2.SP1 Unaffected: codec-http2 , < * (rpm)
    cpe:/a:redhat:quarkus:3.33::el8
Create a notification for this product.
Red Hat Streams for Apache Kafka 2.9.4 Unaffected: codec-http2 , < * (rpm)
    cpe:/a:redhat:amq_streams:2.9::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.29 Unaffected: 1782989027 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.29::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.29 Unaffected: 1783007534 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.29::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.29 Unaffected: 1782989367 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.29::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.29 Unaffected: 1783033397 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.29::el9
Create a notification for this product.
Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
Create a notification for this product.
Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
Create a notification for this product.
Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
Create a notification for this product.
Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
Create a notification for this product.
Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
Create a notification for this product.
Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
Create a notification for this product.
Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
Create a notification for this product.
Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
Create a notification for this product.
Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
Create a notification for this product.
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
Create a notification for this product.
Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48043",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T15:59:47.481904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T15:59:56.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_quarkus:3.33"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-http2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_spring_boot:4.18"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-http2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quarkus:3.27::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Quarkus 3.27.4.SP1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-http2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quarkus:3.33::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Quarkus 3.33.2.SP1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-http2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_streams:2.9::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Streams for Apache Kafka 2.9.4",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-http2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.29::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/multicluster-redirector-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.29",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1782989027",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.29::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/openvsx-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.29",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1783007534",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.29::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/pluginregistry-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.29",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1782989367",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.29::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/server-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.29",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1783033397",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:cryostat:4"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Cryostat 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-ekb-receiver-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:serverless:1"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
            "product": "OpenShift Serverless",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_broker:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat AMQ Broker 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:camel_quarkus:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_hawtio:4"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat build of Apache Camel - HawtIO 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apicurio_registry:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat build of Apicurio Registry 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:debezium:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat build of Debezium 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk/keycloak-rhel9",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk/keycloak-rhel9-operator",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "affected",
            "packageName": "rhbk-rhel9-operator/rhbk-rhel9-operator",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "packageName": "bazel6",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "packageName": "bazel7",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "packageName": "bazel8",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat JBoss Enterprise Application Platform 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-modelmesh-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-openvino-model-server-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-spark-operator-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-th06-cpu-torch210-py312-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-th06-cpu-torch291-py312-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-th06-cuda130-torch291-py312-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-trustyai-service-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/jetbrains-ide-rhel9",
            "product": "Red Hat OpenShift Dev Spaces",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_single_sign_on:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "netty-codec-http2",
            "product": "Red Hat Single Sign-On 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_streams:3"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-http2",
            "product": "streams for Apache Kafka 3",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-12T14:39:52.498Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in netty-codec-http2. A remote attacker could send specially crafted frames that cause a resource leak within the `DelegatingDecompressorFrameListener` class. This resource leak could lead to an Out Of Memory Error (OOME), potentially causing a Denial of Service (DoS) by taking down the entire Java Virtual Machine (JVM)."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-772",
                "description": "Missing Release of Resource after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T00:48:29.946Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-48043"
          },
          {
            "name": "RHBZ#2488442",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488442"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48043.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26586"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36820"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:37390"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26018"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26017"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:34608"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:37390: Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26018: Red Hat build of Quarkus 3.27.4.SP1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26017: Red Hat build of Quarkus 3.33.2.SP1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-12T16:02:56.371Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-12T14:39:52.498Z",
            "value": "Made public."
          }
        ],
        "title": "netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Final, \u003c 4.2.15.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.135.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T14:39:52.498Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        }
      ],
      "source": {
        "advisory": "GHSA-c2gf-v879-257j",
        "discovery": "UNKNOWN"
      },
      "title": "netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48043",
    "datePublished": "2026-06-12T14:39:52.498Z",
    "dateReserved": "2026-05-20T18:15:53.578Z",
    "dateUpdated": "2026-07-15T00:48:29.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48006 (GCVE-0-2026-48006)

Vulnerability from cvelistv5 – Published: 2026-06-12 14:36 – Updated: 2026-07-15 00:48
VLAI
Title
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
Summary
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
  • CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
Impacted products
Vendor Product Version
netty netty Affected: >= 4.2.0.Final, < 4.2.15.Final
Affected: < 4.1.135.Final
Create a notification for this product.
Red Hat Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16 Unaffected: codec-redis , < * (rpm)
    cpe:/a:redhat:apache_camel_spring_boot:4.18
Create a notification for this product.
Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
Create a notification for this product.
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48006",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T16:40:23.259554Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T16:43:15.426Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_spring_boot:4.18"
            ],
            "defaultStatus": "affected",
            "packageName": "netty",
            "product": "Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "codec-redis",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-redis",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-redis",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:7"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-redis",
            "product": "Red Hat JBoss Enterprise Application Platform 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "affected",
            "packageName": "netty-codec-redis",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_single_sign_on:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "netty-codec-redis",
            "product": "Red Hat Single Sign-On 7",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-12T14:36:44.416Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in netty-codec-redis. A remote attacker can exploit this vulnerability by repeatedly closing Redis pipeline connections before a Redis array aggregate completes. This leads to a permanent leak of direct-memory buffers, which prevents memory chunks from being returned to the shared memory pool. Over time, this can exhaust the available memory, causing a Denial of Service (DoS) for all Netty channels in the process."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-772",
                "description": "Missing Release of Resource after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T00:48:38.505Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-48006"
          },
          {
            "name": "RHBZ#2488433",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488433"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48006.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:37390"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:37390: Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-12T16:02:27.195Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-12T14:36:44.416Z",
            "value": "Made public."
          }
        ],
        "title": "netty-codec-redis: Netty\u0027s Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Final, \u003c 4.2.15.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.135.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T14:36:44.416Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        }
      ],
      "source": {
        "advisory": "GHSA-6jv9-x5w9-2ccm",
        "discovery": "UNKNOWN"
      },
      "title": "Netty\u0027s Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48006",
    "datePublished": "2026-06-12T14:36:44.416Z",
    "dateReserved": "2026-05-20T17:44:09.585Z",
    "dateUpdated": "2026-07-15T00:48:38.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47482 (GCVE-0-2026-47482)

Vulnerability from cvelistv5 – Published: 2026-07-14 19:50 – Updated: 2026-07-15 14:14
VLAI
Summary
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory after effective lifetime. A successful exploit of this vulnerability might lead to denial of service.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
Impacted products
Vendor Product Version
NVIDIA Triton Inference Server Affected: 0.0 , ≤ 26.04 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T14:13:46.453671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T14:14:07.042Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Triton Inference Server",
          "vendor": "NVIDIA",
          "versions": [
            {
              "lessThanOrEqual": "26.04",
              "status": "affected",
              "version": "0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory after effective lifetime. A successful exploit of this vulnerability might lead to denial of service."
            }
          ],
          "value": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory after effective lifetime. A successful exploit of this vulnerability might lead to denial of service."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T19:50:09.678Z",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47482"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47482"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2026-47482",
    "datePublished": "2026-07-14T19:50:09.678Z",
    "dateReserved": "2026-05-19T19:55:39.687Z",
    "dateUpdated": "2026-07-15T14:14:07.042Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47326 (GCVE-0-2026-47326)

Vulnerability from cvelistv5 – Published: 2026-05-28 18:26 – Updated: 2026-05-28 19:25
VLAI
Title
Memory leak in Ubuntu Linux AppArmor large notification response allocation
Summary
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing release of memory after effective lifetime
Assigner
References
Impacted products
Vendor Product Version
Canonical Ubuntu Linux Affected: 6.8.0 , < 6.8.0-124.124 (dpkg)
Affected: 6.17.0 , < 6.17.0-35.35 (dpkg)
Affected: 7.0.0 , < 7.0.0-22.22 (dpkg)
Create a notification for this product.
Credits
Tristan Madani (@TristanInSec), Talence Security
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47326",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T19:20:50.758806Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T19:25:40.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://launchpad.net/ubuntu/+source/",
          "defaultStatus": "unaffected",
          "modules": [
            "AppArmor"
          ],
          "packageName": "linux",
          "product": "Ubuntu Linux",
          "repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "6.8.0-124.124",
              "status": "affected",
              "version": "6.8.0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "6.17.0-35.35",
              "status": "affected",
              "version": "6.17.0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "7.0.0-22.22",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tristan Madani (@TristanInSec), Talence Security"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing release of memory after effective lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T18:26:58.224Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=8d858ecb7e2e216ca2987302a04c266f2355fefe"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Memory leak in Ubuntu Linux AppArmor large notification response allocation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-47326",
    "datePublished": "2026-05-28T18:26:58.224Z",
    "dateReserved": "2026-05-19T10:37:36.433Z",
    "dateUpdated": "2026-05-28T19:25:40.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46679 (GCVE-0-2026-46679)

Vulnerability from cvelistv5 – Published: 2026-06-10 21:08 – Updated: 2026-06-11 14:18
VLAI
Title
libp2p: Memory DoS via subscription flood of unique topics
Summary
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
Vendor Product Version
libp2p js-libp2p Affected: < 15.0.23
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46679",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T14:18:10.380346Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T14:18:41.039Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "js-libp2p",
          "vendor": "libp2p",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.0.23"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T21:08:52.464Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv"
        }
      ],
      "source": {
        "advisory": "GHSA-4f8r-922h-2vgv",
        "discovery": "UNKNOWN"
      },
      "title": "libp2p: Memory DoS via subscription flood of unique topics"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46679",
    "datePublished": "2026-06-10T21:08:52.464Z",
    "dateReserved": "2026-05-15T21:46:51.547Z",
    "dateUpdated": "2026-06-11T14:18:41.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45682 (GCVE-0-2026-45682)

Vulnerability from cvelistv5 – Published: 2026-06-02 15:23 – Updated: 2026-06-02 17:20
VLAI
Title
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
Summary
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45682",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T17:19:08.840062Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T17:20:47.453Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-962q-hwm5-52x5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-ebpf-instrumentation",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T15:23:24.666Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-962q-hwm5-52x5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-962q-hwm5-52x5"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
        }
      ],
      "source": {
        "advisory": "GHSA-962q-hwm5-52x5",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45682",
    "datePublished": "2026-06-02T15:23:24.666Z",
    "dateReserved": "2026-05-12T21:59:25.667Z",
    "dateUpdated": "2026-06-02T17:20:47.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.