Lucene search
+L

57 matches found

cvelist
cvelist
added 2026/06/12 2:45 p.m.39 views

CVE-2026-48748 Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patche...

7.5CVSS0.00366EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/06/12 2:45 p.m.13 views

CVE-2026-48748 Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patche...

7.5CVSS5.3AI score0.00366EPSS
Exploits0References2
osv
osv
added 2026/06/12 2:45 p.m.5 views

CVE-2026-48748 Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patche...

7.5CVSS7AI score0.00366EPSS
Exploits0References7
suse
suse
added 2026/06/09 8:14 a.m.12 views

Security update for netty, netty-tcnative

This update for netty, netty-tcnative fixes the following issues CVE-2026-41417: missing validations leads to HTTP request smuggling and RTSP request injection via start-line injection in DefaultHttpRequest.setUri bsc1264350. CVE-2026-42578: HTTP Header Injection via HttpProxyHandler Disabled...

8.8CVSS6.7AI score0.00969EPSS
Exploits11References48
osv
osv
added 2026/06/09 8:13 a.m.7 views

SUSE-SU-2026:2308-1 Security update for netty, netty-tcnative

This update for netty, netty-tcnative fixes the following issues - CVE-2026-41417: missing validations leads to HTTP request smuggling and RTSP request injection via start-line injection in DefaultHttpRequest.setUri bsc1264350. - CVE-2026-42578: HTTP Header Injection via HttpProxyHandler Disabled...

9.8CVSS6.8AI score0.00969EPSS
Exploits11References25
redhatcve
redhatcve
added 2026/06/05 7:17 p.m.21 views

CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS5.5AI score0.00437EPSS
Exploits1References1
nessus
nessus
added 2026/06/05 12:0 a.m.20 views

Linux Distros Unpatched Vulnerability : CVE-2026-40898

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client a...

7.5CVSS5.5AI score0.00279EPSS
Exploits0References3
osv
osv
added 2026/06/04 7:16 p.m.11 views

DEBIAN-CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

7.5CVSS5.4AI score0.00279EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/06/04 5:43 p.m.9 views

CVE-2026-40898 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/04 5:43 p.m.11 views

CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

5.3CVSS6.8AI score0.00338EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/06/04 5:43 p.m.1 views

CVE-2026-40898 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

5.3CVSS5.9AI score0.00279EPSS
Exploits0References4
snyk
snyk
added 2026/06/03 8:59 p.m.12 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the processing of QPACK-encoded HEADERS frames containing trailer field sections. An attacker can cause excessive memory allocation by sending specially crafted frames with ma...

7.5CVSS5.4AI score0.00279EPSS
Exploits0References2
github
github
added 2026/06/03 8:59 p.m.29 views

quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for t...

7.5CVSS6.8AI score0.00279EPSS
Exploits0References7Affected Software1
osv
osv
added 2026/06/03 8:59 p.m.9 views

GHSA-VVGJ-X9JQ-8CJ9 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for t...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References7
osv
osv
added 2026/05/13 7:17 p.m.7 views

DEBIAN-CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS5.8AI score0.00437EPSS
Exploits1References1
osv
osv
added 2026/05/13 7:17 p.m.12 views

UBUNTU-CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS5.8AI score0.00437EPSS
Exploits1References3
debiancve
debiancve
added 2026/05/13 6:6 p.m.11 views

CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS5.8AI score0.00437EPSS
Exploits1
osv
osv
added 2026/05/13 6:6 p.m.4 views

CVE-2026-42582 Netty: HTTP/3 QPACK literal unbounded allocation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS6AI score0.00437EPSS
Exploits1References3
vulnrichment
vulnrichment
added 2026/05/13 6:6 p.m.8 views

CVE-2026-42582 Netty: HTTP/3 QPACK literal unbounded allocation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS5.8AI score0.00437EPSS
Exploits1References1
cve
cve
added 2026/05/13 6:6 p.m.22 views

CVE-2026-42582

Netty (HTTP/3) vulnerable in QpackDecoder.decodeHuffmanEncodedLiteral prior to 4.2.13.Final: the non-Huffman path may allocate byte[length] without verifying length

7.5CVSS5.8AI score0.00437EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder