{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48748", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-22T19:10:35.747Z", "datePublished": "2026-06-12T14:45:04.763Z", "dateUpdated": "2026-06-13T03:17:03.521Z"}, "containers": {"cna": {"title": "Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6"}, {"name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": ">= 4.2.0.Final, < 4.2.15.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T14:45:04.763Z"}, "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue."}], "source": {"advisory": "GHSA-4grm-h2qv-h6w6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-13T03:16:34.336688Z", "id": "CVE-2026-48748", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-13T03:17:03.521Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-48748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-13T03:16:34.336688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-13T03:16:57.887Z"}}], "cna": {"title": "Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion", "source": {"advisory": "GHSA-4grm-h2qv-h6w6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": ">= 4.2.0.Final, < 4.2.15.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6", "name": "https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T14:45:04.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-48748", "state": "PUBLISHED", "dateUpdated": "2026-06-13T03:17:03.521Z", "dateReserved": "2026-05-22T19:10:35.747Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-12T14:45:04.763Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "413D4611-A46C-4BE4-AB2F-D86282F65984", "versionEndExcluding": "4.2.15", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue."}], "id": "CVE-2026-48748", "lastModified": "2026-06-15T02:31:41.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-06-12T16:16:30.913", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "netty: Netty: Denial of Service due to memory exhaustion in HTTP/3 codec", "id": "2488441", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488441"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Netty. A remote attacker can exploit a memory exhaustion vulnerability in the Netty HTTP/3 codec by creating an infinite number of blocked streams. This can lead to an Out Of Memory (OOM) error, resulting in a Denial of Service (DoS) for the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-48748", "package_state": [{"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Under investigation", "package_name": "netty-codec-http3", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}], "public_date": "2026-06-12T14:45:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-48748\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-48748\nhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final\nhttps://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6"], "threat_severity": "Important"}