CVE-2026-48748

Vulnerability

A memory exhaustion vulnerability exists in the Netty HTTP/3 codec, specifically in io.netty.handler.codec.http3.QpackDecoder#shouldWaitForDynamicTableUpdates. When the server enables QPACK dynamic tables (by setting HTTP3_SETTINGS_QPACK_MAX_TABLE_CAPACITY > 0) but does not explicitly configure HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS, the value defaults to 0. The limit check is implemented as if (blockedStreamsCount == maxBlockedStreams - 1), which with maxBlockedStreams of 0 evaluates to blockedStreamsCount == -1. Since blockedStreamsCount starts at 0 and only increments, this condition is never true, bypassing the limit entirely. This affects all versions prior to 4.2.15.Final [1][2].

Exploitation

An attacker with network access to the server can send HTTP/3 requests that reference QPACK table entries not yet received by the server. Each such request causes a stream to block while waiting for the missing entry. Because the blocked stream limit is never enforced, the attacker can open an arbitrary number of blocked streams. Additionally, the QpackDecoder never removes unblocked streams from the blockedStreams map or decrements the counter, so the ReadResumptionListener for each blocked stream remains in memory for the entire connection lifetime. No authentication or special privileges are required [2].

Impact

Successful exploitation leads to unbounded memory consumption, resulting in an Out-of-Memory (OOM) error and denial of service. The server process may crash, making the service unavailable. This is a high-severity issue (CVSS 7.5) [1][2].

Mitigation

The vulnerability is fixed in Netty version 4.2.15.Final, released on 2026-06-12 [1]. Users should upgrade to this version or later. No workaround is documented; if upgrading is not immediately possible, disabling QPACK dynamic tables (setting HTTP3_SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0) may prevent exploitation, but this may impact performance [2].