CVE-2026-48043 - Medium Severity Vulnerability
Vulnerable Libraries - netty-codec-http2-4.1.76.Final.jar, netty-codec-http2-4.1.67.Final.jar
netty-codec-http2-4.1.76.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/openapi-client/java-micronaut-client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.76.Final/netty-codec-http2-4.1.76.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.76.Final/199f8352c0f19e5be97a0eac6a0b65d8f7da4218/netty-codec-http2-4.1.76.Final.jar
Dependency Hierarchy:
- micronaut-bom-3.4.3.pom (Root Library)
- ❌ netty-codec-http2-4.1.76.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.67.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/swagger-client/micronaut/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.67.Final/netty-codec-http2-4.1.67.Final.jar
Dependency Hierarchy:
- micronaut-http-client-3.0.0.jar (Root Library)
- micronaut-http-netty-3.0.0.jar
- ❌ netty-codec-http2-4.1.67.Final.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the "DelegatingDecompressorFrameListener" class orchestrates HTTP/2 decompression by embedding a per-stream "EmbeddedChannel" that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled "ByteBuf" handed to an anonymous "ChannelInboundHandlerAdapter" tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-48043
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-48043 - Medium Severity Vulnerability
netty-codec-http2-4.1.76.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/openapi-client/java-micronaut-client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.76.Final/netty-codec-http2-4.1.76.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.76.Final/199f8352c0f19e5be97a0eac6a0b65d8f7da4218/netty-codec-http2-4.1.76.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.67.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/swagger-client/micronaut/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.67.Final/netty-codec-http2-4.1.67.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the "DelegatingDecompressorFrameListener" class orchestrates HTTP/2 decompression by embedding a per-stream "EmbeddedChannel" that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled "ByteBuf" handed to an anonymous "ChannelInboundHandlerAdapter" tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-48043
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-12
Fix Resolution: https://github.com/netty/netty.git - 4.1.135.Final
Step up your Open Source Security Game with Mend here