GHSA-4GRM-H2QV-H6W6
Vulnerability from github – Published: 2026-06-15 20:43 – Updated: 2026-06-15 20:43Summary
A memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error.
Details
The vulnerability exists in io.netty.handler.codec.http3.QpackDecoder#shouldWaitForDynamicTableUpdates:
If a client sends a header referencing a table entry that the server hasn't received yet, the server must pause that stream and wait for the missing entry to arrive. To prevent attackers from exhausting resources by intentionally sending missing references, Netty limits the number of streams that can be blocked at the same time.
However, the check is implemented as:
if (blockedStreamsCount == maxBlockedStreams - 1) {
If the server enables QPACK dynamic tables (by setting HTTP3_SETTINGS_QPACK_MAX_TABLE_CAPACITY > 0) but does not explicitly configure HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS, it defaults to 0.
When maxBlockedStreams is 0, the condition evaluates to blockedStreamsCount == -1. Since blockedStreamsCount starts at 0 and only increments, it never equals -1. This bypasses the limit, allowing an attacker to open an infinite number of streams that block indefinitely. Additionally, the QpackDecoder never removes unblocked streams from the blockedStreams map or decrements the counter, meaning the ReadResumptionListener for each blocked stream is kept in memory for the entire lifetime of the connection. This exhausts server memory and crashes the JVM.
Impact
Denial of Service. Any server using netty-codec-http3 with QPACK dynamic tables enabled and maxBlockedStreams defaulting to 0 is impacted.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.13.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http3"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Final"
},
{
"fixed": "4.2.15.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48748"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T20:43:13Z",
"nvd_published_at": "2026-06-12T16:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\nA memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error.\n\n### Details\nThe vulnerability exists in `io.netty.handler.codec.http3.QpackDecoder#shouldWaitForDynamicTableUpdates`:\n\nIf a client sends a header referencing a table entry that the server hasn\u0027t received yet, the server must pause that stream and wait for the missing entry to arrive. To prevent attackers from exhausting resources by intentionally sending missing references, Netty limits the number of streams that can be blocked at the same time.\n\nHowever, the check is implemented as:\n\n```java\nif (blockedStreamsCount == maxBlockedStreams - 1) {\n```\n\nIf the server enables QPACK dynamic tables (by setting `HTTP3_SETTINGS_QPACK_MAX_TABLE_CAPACITY` \u003e 0) but does not explicitly configure `HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS`, it defaults to 0.\n\nWhen `maxBlockedStreams` is 0, the condition evaluates to `blockedStreamsCount == -1`. Since `blockedStreamsCount` starts at `0` and only increments, it never equals `-1`. This bypasses the limit, allowing an attacker to open an infinite number of streams that block indefinitely. Additionally, the `QpackDecoder` never removes unblocked streams from the `blockedStreams` map or decrements the counter, meaning the `ReadResumptionListener` for each blocked stream is kept in memory for the entire lifetime of the connection. This exhausts server memory and crashes the JVM.\n\n### Impact\nDenial of Service. Any server using `netty-codec-http3` with QPACK dynamic tables enabled and maxBlockedStreams defaulting to 0 is impacted.",
"id": "GHSA-4grm-h2qv-h6w6",
"modified": "2026-06-15T20:43:13Z",
"published": "2026-06-15T20:43:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48748"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.