Listen to this Post
A memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. The vulnerability exists in io.netty.handler.codec.http3.QpackDecodershouldWaitForDynamicTableUpdates: If a client sends a header referencing a table entry that the server hasn’t received yet, the server must pause that stream and wait for the missing entry to arrive. To prevent attackers from exhausting resources by intentionally sending missing references, Netty limits the number of streams that can be blocked at the same time. However, the check is implemented as: if (blockedStreamsCount == maxBlockedStreams - 1). If the server enables QPACK dynamic tables (by setting HTTP3_SETTINGS_QPACK_MAX_TABLE_CAPACITY > 0) but does not explicitly configure HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS, it defaults to 0. When `maxBlockedStreams` is 0, the condition evaluates to blockedStreamsCount == -1. Since `blockedStreamsCount` starts at `0` and only increments, it never equals -1. This bypasses the limit, allowing an attacker to open an infinite number of streams that block indefinitely. Additionally, the `QpackDecoder` never removes unblocked streams from the `blockedStreams` map or decrements the counter, meaning the `ReadResumptionListener` for each blocked stream is kept in memory for the entire lifetime of the connection. This exhausts server memory and crashes the JVM.
DailyCVE Form:
Platform: Netty (HTTP/3)
Version: prior to 4.2.13.Final
Vulnerability: Memory Exhaustion
Severity: High
date: 2026-06-08
Prediction: 2026-06-15
What Undercode Say:
Analyzing the vulnerability’s mechanics, an attacker would send crafted HTTP/3 HEADERS frames to a server that has QPACK dynamic tables enabled. The server’s `maxBlockedStreams` count defaults to 0, so the vulnerability check is entirely bypassed. This allows the attacker to indefinitely increase the number of blocked streams, leading to an out-of-memory (OOM) error and a JVM crash. The core of the attack lies in the flawed conditional logic within shouldWaitForDynamicTableUpdates.
Simulate a vulnerable server state (conceptual example) This demonstrates how the condition (blockedStreamsCount == maxBlockedStreams - 1) fails when maxBlockedStreams = 0, because (0 == -1) is always false. blockedStreamsCount=0 maxBlockedStreams=0 while true; do if [ $blockedStreamsCount -eq $((maxBlockedStreams - 1)) ]; then echo "Limit reached. Blocking." break else echo "Creating blocked stream $blockedStreamsCount (bypassing limit)." blockedStreamsCount=$((blockedStreamsCount + 1)) fi done
This loop would run forever, as the condition `blockedStreamsCount == -1` is never met, illustrating the bypass.
Exploit:
A remote, unauthenticated attacker can exploit this vulnerability by sending a continuous stream of specially crafted HTTP/3 requests to a vulnerable server. Each request references a dynamic table entry not yet present on the server, forcing the server to pause and block the stream. Due to the flawed limit check, the server will keep blocking new streams indefinitely, consuming all available memory.
Protection:
The primary protection is to upgrade Netty to a patched version (4.2.13.Final or later). If an immediate upgrade is not possible, explicitly configure `HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS` to a positive integer value on the server side. This ensures the `maxBlockedStreams` value is not 0, re-engaging the stream limit check.
Impact:
Denial of Service (DoS). A successful attack leads to memory exhaustion and crashes the Java Virtual Machine (JVM), rendering the server unavailable. Any server using the `netty-codec-http3` package with QPACK dynamic tables enabled and the `maxBlockedStreams` setting left at its default value of `0` is impacted.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
