Listen to this Post
How the mentioned CVE works:
The vulnerability exists in Netty’s HTTP/3 QPACK decoder.
Specifically in io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral.
When decoding a non-Huffman encoded string literal, the code calls new byte[bash].
The length value is read directly from the malicious wire input.
A length field can be encoded in just a few bytes (varint).
An attacker can send a tiny HEADERS frame claiming a huge length, e.g., 1 GiB.
The decoder does NOT validate that length <= in.readableBytes() before allocation.
Thus it allocates a massive byte array based on unverified attacker input.
This happens before checking if the actual data bytes are available.
A single small packet (e.g., 10 bytes) can force a gigabyte allocation.
Multiple such frames can exhaust server memory rapidly.
The PoC uses a ~1 GiB non-Huffman name length in a QPACK section.
The server then throws IndexOutOfBoundsException or OutOfMemoryError.
This leads to denial of service: slowdown, stalling, or crash.
No authentication or special permissions are required to trigger.
The attack vector is HTTP/3 over QUIC, targeting header decompression.
Affected versions: Netty before 4.1.108.Final.
The patch adds a bounds check before allocation.
Upgrading to 4.1.108.Final or later mitigates the issue.
dailycve form:
Platform: Netty HTTP/3
Version: Before 4.1.108.Final
Vulnerability: QPACK huge allocation
Severity: Critical
date: 2024-04-04
Prediction: Already patched (4.1.108)
What Undercode Say:
Analytics
Check Netty version in your project
mvn dependency:tree | grep netty
Detect if vulnerable (HTTP/3 endpoint)
curl –http3 -H “X-Crafted: $(python3 -c ‘print(“A”1000000)’)” https://target:8443
Monitor memory usage under load
watch -n 1 ‘ps aux | grep java | awk “{print \$6}”‘
Simulate with provided JUnit test (requires netty-codec-http3)
javac -cp netty-all.jar QpackTest.java && java -Xmx256m QpackTest
Exploit:
Craft a single HTTP/3 HEADERS frame with a QPACK literal name length field set to 0x3FFFFFFF (~1GB) using minimal varint encoding. Send before completing stream data. Server allocates huge byte array, crashes with OOM.
Protection from this CVE
Upgrade to Netty 4.1.108.Final or later. If unable, apply patch that adds `if (length > in.readableBytes()) throw new QpackDecoderException();` before new byte[bash]. Disable HTTP/3 support temporarily. Use memory limits with -XX:MaxDirectMemorySize.
Impact:
Remote unauthenticated attacker triggers massive memory allocations using tiny packets, leading to denial of service (server slowdown, unresponsiveness, or crash). No data leak or code execution, but availability severely impacted under moderate attack traffic.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
