CVE-2026-42582

Netty: HTTP/3 QPACK literal unbounded allocation

Assigner: GitHub_M
Reserved: 28.04.2026 Published: 13.05.2026 Updated: 13.05.2026

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	netty
Product	netty
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected

Vendor

netty

Product

netty

Versions

Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected

Vendor	io.netty
Product	netty-codec-http3
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected

Vendor

io.netty

Product

netty-codec-http3

Versions

Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE
CWE-789: Memory Allocation with Excessive Size Value CWE

CVE-2026-42582 PUBLISHED

Netty: HTTP/3 QPACK literal unbounded allocation

Metrics

Product Status

References

Problem Types