Maven package
io.netty/netty-codec-http3
pkg:maven/io.netty/netty-codec-http3
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48748 | Hig | 7.5 | >= 4.2.0.Final, < 4.2.15.Final | 4.2.15.Final | Jun 12, 2026 | Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4. | |
| CVE-2026-42582 | Hig | 7.5 | < 4.2.13.Final | 4.2.13.Final | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verif |
- affected >= 4.2.0.Final, < 4.2.15.Finalfixed 4.2.15.Final
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.
- affected < 4.2.13.Finalfixed 4.2.13.Final
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verif