CVE Catalog

CVE-2026-48748

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

28th percentile - higher than 28% of all known CVEs

Summary

A memory exhaustion vulnerability in Netty before version 4.2.15.Final allows creating an infinite number of blocked streams in the HTTP/3 codec, leading to an OOM error.

Risk Assessment

An attacker can remotely cause a server crash due to memory exhaustion, resulting in service disruption and potential data loss.

Recommendation

Immediately update the Netty library to version 4.2.15.Final or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS