Netty up to 4.2.13.Final allocation of resources

Summaryinfo

A vulnerability categorized as problematic has been discovered in Netty. Affected is an unknown function. The manipulation results in allocation of resources. This vulnerability is cataloged as CVE-2026-48748. The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in Netty. It has been classified as problematic. Affected is an unknown functionality. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. This is going to have an impact on availability. CVE summarizes:

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-48748 since 05/22/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1499.

Upgrading to version 4.2.15.Final eliminates this vulnerability. The upgrade is hosted for download at github.com.

The vulnerability is also documented in the databases at EUVD (EUVD-2026-36459) and CERT Bund (WID-SEC-2026-1814). Once again VulDB remains the best source for vulnerability data.

Affected

• Open Source Netty

Productinfo

Name

• Netty

Version

• 0.0.11.Final
• 0.0.13.Final
• 0.0.21.Final
• 0.0.22.Final
• 0.0.71.Final
• 0.8.16
• 0.9.3
• 0.9.4
• 0.9.5
• 1.0.24
• 1.0.39
• 1.0.49
• 1.0.52
• 1.1
• 1.1.12
• 1.1.13
• 1.1.31
• 1.1.32
• 1.1.35
• 1.1.36
• 1.2.7
• 1.2.8
• 1.2.17
• 1.2.18
• 1.3.0-M4
• 1.3.0-M5
• 1.3.5
• 1.3.6
• 1.1000
• 2.1
• 3.6.0
• 3.6.1
• 3.6.2
• 3.6.3
• 3.6.4
• 3.6.5
• 3.6.6
• 3.6.7
• 3.6.8
• 3.7.0
• 3.8.0
• 3.8.1
• 3.9.0
• 3.9.1
• 3.9.1.1
• 3.10.3
• 4.0.0
• 4.0.1
• 4.0.2
• 4.0.3
• 4.0.4
• 4.0.5
• 4.0.6
• 4.0.7
• 4.0.8
• 4.0.9
• 4.0.10
• 4.0.11
• 4.0.12
• 4.0.13
• 4.0.14
• 4.0.15
• 4.0.16
• 4.0.17
• 4.0.18
• 4.0.28
• 4.0.37.Final
• 4.1
• 4.1.0.BEta4
• 4.1.1
• 4.1.1.Final
• 4.1.7.1.Final
• 4.1.42.Final
• 4.1.43.Final
• 4.1.44
• 4.1.59.Final
• 4.1.60.Final
• 4.1.61.Final
• 4.1.68.Final
• 4.1.77.Final
• 4.1.86.Final
• 4.1.94.Final
• 4.1.108.Final
• 4.1.115
• 4.1.118.Final
• 4.1.124.Final
• 4.1.125.Final
• 4.1.128.Final
• 4.1.129.Final
• 4.1.132.Final
• 4.1.133.Final
• 4.1.135.Final
• 4.2.4.Final
• 4.2.5.Final
• 4.2.7.Final
• 4.2.8.Final
• 4.2.10.Final
• 4.2.12.Final
• 4.2.13.Final

Website

• Product: https://github.com/netty/netty/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion