A critical memory exhaustion flaw in the Netty HTTP/3 codec allows remote, unauthenticated attackers to crash systems by creating infinite blocked streams.

The Netty HTTP/3 codec fails to properly limit the number of concurrent streams, allowing an unauthenticated attacker to create an infinite number of blocked streams and trigger an Out Of Memory (OOM) error.

The CVSS score of 7.5 (High) accurately reflects the severity of this denial-of-service vulnerability. By exhausting system memory, an attacker can force an application to crash, resulting in significant service downtime and potential disruption of dependent business processes.

Immediate Action: Update to Netty version 4.2.15.Final or later to implement proper stream tracking and resource limits.

Proactive Monitoring: Review application logs for patterns of excessive stream creation or rapid connection attempts that might indicate exploitation.

Compensating Controls: Utilize a Web Application Firewall (WAF) or load balancer to restrict the number of concurrent HTTP/3 streams allowed per client connection.

Public Exploit Available: true

Because a public exploit exists, this issue should be treated with high urgency. Patching the affected Netty components is the only definitive way to prevent resource exhaustion attacks targeting the HTTP/3 protocol implementation.