{"vulnerability": "CVE-2026-48748", "sightings": [{"uuid": "5124795f-bcac-4e92-974c-8f97679960ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48748", "type": "seen", "source": "https://gist.github.com/alon710/bc7929d92c51f42ce9344791ed6ca313", "content": "# CVE-2026-48748: CVE-2026-48748: Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48748\n\n## Summary\nCVE-2026-48748 is a denial-of-service vulnerability in Netty's HTTP/3 codec (netty-codec-http3) occurring when QPACK dynamic tables are enabled but the blocked streams limit is not explicitly configured. A bug in limit checking and a memory leak in stream tracking allow unauthenticated remote attackers to exhaust the JVM heap memory and crash the server.\n\n## TL;DR\nA boundary check bypass and memory leak in Netty's HTTP/3 QPACK decoder allow remote attackers to exhaust JVM memory and crash servers via an unrestricted number of blocked streams.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 7.5\n- **EPSS Score**: 0.00488\n- **Impact**: Availability (Denial of Service via JVM OOM)\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- io.netty:netty-codec-http3\n- Netty HTTP/3-enabled web servers\n- API gateways using Netty for HTTP/3\n- **netty-codec-http3**: >= 4.2.0.Final, < 4.2.15.Final (Fixed in: `4.2.15.Final`)\n\n## Mitigation\n\n- Upgrade netty-codec-http3 to version 4.2.15.Final or later.\n- Manually set HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS to a non-zero limit (e.g., 100) as a temporary workaround.\n\n**Remediation Steps:**\n1. Identify all Maven, Gradle, or other dependency declarations referencing io.netty:netty-codec-http3.\n2. Update the version property to 4.2.15.Final or later.\n3. If an immediate upgrade is impossible, modify server initialization code to set Http3Settings.withQpackBlockedStreams(100) or equivalent setting in the HTTP/3 bootstrap configuration.\n4. Rebuild and redeploy the application.\n5. Monitor JVM memory usage and QUIC connection durations to detect anomalies.\n\n## References\n\n- [GitHub Advisory GHSA-4grm-h2qv-h6w6](https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6)\n- [Netty 4.2.15.Final Release Tag](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final)\n- [NVD Vulnerability Page](https://nvd.nist.gov/vuln/detail/CVE-2026-48748)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48748)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48748) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T00:56:16.000000Z"}, {"uuid": "3aeef7e9-9967-4c05-a643-7c4776397c55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48748", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3moaq36mskk23", "content": "CVE-2026-48748 - DoS in Netty HTTP/3 codec. Memory exhaustion from infinite blocked streams. CVSS 7.5. Update to 4.2.15.Final immediately. #CVE #infosec #Netty\n\nhttps://www.valtersit.com/cve/CVE-2026-48748/", "creation_timestamp": "2026-06-14T12:04:16.981114Z"}]}