GHSA-c2gf-v879-257j
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Details
### Impact
The `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it.
A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.1.135.Final # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-codec-http2 4.2.0.Alpha1 Fixed in: 4.2.15.Final # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-codec-http2