netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

Vulnerability

DelegatingDecompressorFrameListener in netty-codec-http2 orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf handed to an anonymous ChannelInboundHandlerAdapter tail handler, which becomes the sole owner responsible for releasing it. Versions <= 4.1.134.Final and >= 4.2.0.Alpha1, <= 4.2.14.Final are affected [1][2].

Exploitation

A remote peer can send HTTP/2 frames that cause the flow-controller to throw an exception. When the exception occurs, the anonymous tail handler does not release the pooled ByteBuf, triggering a reference-count leak. An attacker can repeatedly trigger this condition without authentication or special privileges beyond the ability to establish an HTTP/2 connection [1][2].

Impact

Repeated exploitation leads to accumulation of unreleased pooled ByteBuf instances, causing memory exhaustion (java.lang.OutOfMemoryError) that can take down the entire JVM. This is a denial-of-service (DoS) scenario with high availability impact [1][2].

Mitigation

Fixed in versions 4.1.135.Final (released) and 4.2.15.Final (released). Users must upgrade to one of these patched versions. No workarounds are documented; the advisory recommends immediate upgrade [1][2].