{"vulnerability": "cve-2026-4874", "sightings": [{"uuid": "84510cad-5828-4cc3-8c04-c1dff00f38a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-4874", "type": "seen", "source": "https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-4874", "content": "", "creation_timestamp": "2026-03-26T07:16:22.000000Z"}, {"uuid": "1c2a0102-62ce-44e5-9d0b-31a43e77349a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-4874", "type": "seen", "source": "https://access.redhat.com/security/cve/CVE-2026-4874", "content": "", "creation_timestamp": "2026-03-27T03:00:08.000000Z"}, {"uuid": "3bdba2b3-a6eb-4538-ba93-df9978f8167c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4874", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhxbmlzugk2t", "content": "", "creation_timestamp": "2026-03-26T09:20:27.934731Z"}, {"uuid": "3aeef7e9-9967-4c05-a643-7c4776397c55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48748", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3moaq36mskk23", "content": "CVE-2026-48748 - DoS in Netty HTTP/3 codec. Memory exhaustion from infinite blocked streams. CVSS 7.5. Update to 4.2.15.Final immediately. #CVE #infosec #Netty\n\nhttps://www.valtersit.com/cve/CVE-2026-48748/", "creation_timestamp": "2026-06-14T12:04:16.981114Z"}, {"uuid": "f89521ee-6315-4ad2-9e68-d5004e3343ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48747", "type": "seen", "source": "https://bsky.app/profile/symfony.com/post/3mmtaxinnso2w", "content": "\ud83d\udd10 CVE-2026-48747: Mailomat Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade\n\u27a1\ufe0f https://symfony.com/blog/cve-2026-48747-mailomat-webhook-parser-reads-the-hmac-algorithm-from-the-request-signature-algorithm-downgrade", "creation_timestamp": "2026-05-27T10:03:58.636872Z"}, {"uuid": "524fba81-8c5a-4340-951b-856ec43dda45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48747", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmtq4e3x7q2h", "content": "\ud83d\udd17 CVE : CVE-2026-48489, CVE-2026-48736, CVE-2026-48747, CVE-2026-48760, CVE-2026-48761, CVE-2026-48784", "creation_timestamp": "2026-05-27T14:35:08.384364Z"}, {"uuid": "5124795f-bcac-4e92-974c-8f97679960ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48748", "type": "seen", "source": "https://gist.github.com/alon710/bc7929d92c51f42ce9344791ed6ca313", "content": "# CVE-2026-48748: CVE-2026-48748: Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48748\n\n## Summary\nCVE-2026-48748 is a denial-of-service vulnerability in Netty's HTTP/3 codec (netty-codec-http3) occurring when QPACK dynamic tables are enabled but the blocked streams limit is not explicitly configured. A bug in limit checking and a memory leak in stream tracking allow unauthenticated remote attackers to exhaust the JVM heap memory and crash the server.\n\n## TL;DR\nA boundary check bypass and memory leak in Netty's HTTP/3 QPACK decoder allow remote attackers to exhaust JVM memory and crash servers via an unrestricted number of blocked streams.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 7.5\n- **EPSS Score**: 0.00488\n- **Impact**: Availability (Denial of Service via JVM OOM)\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- io.netty:netty-codec-http3\n- Netty HTTP/3-enabled web servers\n- API gateways using Netty for HTTP/3\n- **netty-codec-http3**: >= 4.2.0.Final, < 4.2.15.Final (Fixed in: `4.2.15.Final`)\n\n## Mitigation\n\n- Upgrade netty-codec-http3 to version 4.2.15.Final or later.\n- Manually set HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS to a non-zero limit (e.g., 100) as a temporary workaround.\n\n**Remediation Steps:**\n1. Identify all Maven, Gradle, or other dependency declarations referencing io.netty:netty-codec-http3.\n2. Update the version property to 4.2.15.Final or later.\n3. If an immediate upgrade is impossible, modify server initialization code to set Http3Settings.withQpackBlockedStreams(100) or equivalent setting in the HTTP/3 bootstrap configuration.\n4. Rebuild and redeploy the application.\n5. Monitor JVM memory usage and QUIC connection durations to detect anomalies.\n\n## References\n\n- [GitHub Advisory GHSA-4grm-h2qv-h6w6](https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6)\n- [Netty 4.2.15.Final Release Tag](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final)\n- [NVD Vulnerability Page](https://nvd.nist.gov/vuln/detail/CVE-2026-48748)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48748)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48748) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T00:56:16.000000Z"}, {"uuid": "4187da55-331b-4f76-954f-dad1dbb72cd2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48745", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3moh62q4wkd2f", "content": "CRITICAL: traccar-client <=9.7.19 lets attackers silently redirect GPS data via deep links \u2014 no user alert, persists after restart. Upgrade to 9.7.20 ASAP! \ud83d\udef0\ufe0f https://radar.offseq.com/threat/cve-2026-48745-cwe-940-improper-verification-of-so-6b0c4b37 #OffSeq #MobileSecurity #Vulnerability", "creation_timestamp": "2026-06-17T01:30:33.328740Z"}, {"uuid": "3bf77cd7-c2f4-4892-8ab8-6aa057fdeeb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48745", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mogzacajbs2j", "content": "CVE-2026-48745 - Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry\nCVE ID : CVE-2026-48745\n \n Published : June 16, 2026, 10:19 p.m. | 1\u00a0hour, 13\u00a0minutes ago\n \n Description : Traccar Client is a GPS tracking mobile app for sending ...", "creation_timestamp": "2026-06-17T00:04:10.434652Z"}]}