How is CVE-2026-48748 exploited?

Network reachability (required): The vulnerable HTTP/3 codec endpoint must be reachable over the network; an attacker sends crafted QPACK-encoded requests from any internet-accessible or internal network path. Authentication (not-required): No credentials or account are needed; the attacker can trigger stream creation as an unauthenticated client. Victim interaction (not-required): Exploitation is fully attacker-driven; no user or administrator action is required to trigger the memory exhaustion. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-48748?

The affected Netty process exhausts heap memory, causing an OutOfMemoryError that crashes the JVM or renders the service completely unresponsive. All HTTP/3 traffic handled by the affected service is disrupted for the duration of the attack, impacting every client connected through that endpoint. Downstream services or components that depend on the affected Netty-based service lose connectivity, potentially cascading failures across dependent workloads.

Back to search

HIGHCVE-2026-48748Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-48748: Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Q: Is CVE-2026-48748 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears upstream. In the meantime, compensating-control recommendations (network-policy isolation, HTTP/3 traffic filtering, and feature-flag gating of HTTP/3 endpoints) are surfaced in the finding detail for customers who need to act before a patch is available.

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Memory exhaustion vulnerability in the Netty HTTP/3 QPACK codec (versions 4.2.0.Final through 4.2.14.Final) allows an attacker to create an unbounded number of blocked streams. The vulnerability is reachable over the network with no authentication required and no victim interaction needed. Successful exploitation causes the affected process to run out of memory, crashing or making the service unavailable. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the netty artifact. Any image containing a vulnerable version of netty (>=4.2.0.Final, <4.2.15.Final) is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and applies each customer organization's compliance-policy weighting to prioritize it appropriately within their environment. Triage routing is available to direct the finding to the right team inbox based on service ownership rules configured per organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears upstream. In the meantime, compensating-control recommendations (network-policy isolation, HTTP/3 traffic filtering, and feature-flag gating of HTTP/3 endpoints) are surfaced in the finding detail for customers who need to act before a patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable HTTP/3 codec endpoint must be reachable over the network; an attacker sends crafted QPACK-encoded requests from any internet-accessible or internal network path.
AuthenticationNot required
No credentials or account are needed; the attacker can trigger stream creation as an unauthenticated client.
Victim interactionNot required
Exploitation is fully attacker-driven; no user or administrator action is required to trigger the memory exhaustion.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

The affected Netty process exhausts heap memory, causing an OutOfMemoryError that crashes the JVM or renders the service completely unresponsive.
All HTTP/3 traffic handled by the affected service is disrupted for the duration of the attack, impacting every client connected through that endpoint.
Downstream services or components that depend on the affected Netty-based service lose connectivity, potentially cascading failures across dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE yet, the platform monitors the advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment netty 4.2.15.Final or a later fix version is published. For customers who need immediate risk reduction, the finding detail surfaces compensating controls including Kubernetes network policies to restrict inbound HTTP/3 (UDP/443 QUIC) traffic to known sources, egress filtering to limit exposure surface, and application-level feature-flag gating to disable HTTP/3 negotiation until a patch is available. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request opened against affected workloads will be triggered without manual intervention as soon as the upstream fix is confirmed.

See how HarborGuard automates this

Affected packages

netty / netty
>= 4.2.0.Final, < 4.2.15.Final

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified