CVE-2026-42582: Netty HTTP/3 QPACK literal unbounded allocation

May 7, 2026

When Netty decodes HTTP/3 headers, it sometimes runs new byte[length] using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length (on the order of a gigabyte).

References

github.com/advisories/GHSA-2c5c-chwr-9hqw
github.com/netty/netty
github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw
nvd.nist.gov/vuln/detail/CVE-2026-42582

Code Behaviors & Features

Detect and mitigate CVE-2026-42582 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →