CVE-2026-48748
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
A memory exhaustion vulnerability in Netty before version 4.2.15.Final allows creating an infinite number of blocked streams in the HTTP/3 codec, leading to an OOM error.
Risk Assessment
An attacker can remotely cause a server crash due to memory exhaustion, resulting in service disruption and potential data loss.
Recommendation
Immediately update the Netty library to version 4.2.15.Final or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.

