Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for netty-codec-http by io.netty

    CVE-2026-42587 (GCVE-0-2026-42587)

    Vulnerability from nvd – Published: 2026-05-13 18:22 – Updated: 2026-07-03 12:04
    VLAI
    Title
    Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http2 Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.27.4     cpe:/a:redhat:quarkus:3.27::el8
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.33.2     cpe:/a:redhat:quarkus:3.33::el8
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 2.9.4     cpe:/a:redhat:amq_streams:2.9::el9
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat AMQ Clients     cpe:/a:redhat:amq_clients:2023
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
    Create a notification for this product.
    Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
    Create a notification for this product.
    Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42587",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T18:43:31.138358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:52:26.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.28::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.28",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.27::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.27.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.33::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.33.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 2.9.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:serverless:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Serverless",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_clients:2023"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Clients",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_spring_boot:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apache Camel for Spring Boot 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apicurio_registry:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:debezium:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Debezium 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:optaplanner:::el6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OptaPlanner 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2"
                ],
                "defaultStatus": "affected",
                "product": "streams for Apache Kafka 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3"
                ],
                "defaultStatus": "affected",
                "product": "streams for Apache Kafka 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-13T18:22:21.699Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:48.821Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-42587"
              },
              {
                "name": "RHBZ#2477220",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477220"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42587.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:28010"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23808"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24502"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34608"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23808: Red Hat build of Quarkus 3.27.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24502: Red Hat build of Quarkus 3.33.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-13T19:01:35.415Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-13T18:22:21.699Z",
                "value": "Made public."
              }
            ],
            "title": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http2",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:22:21.699Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
            }
          ],
          "source": {
            "advisory": "GHSA-f6hv-jmp6-3vwv",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42587",
        "datePublished": "2026-05-13T18:22:21.699Z",
        "dateReserved": "2026-04-28T17:26:12.086Z",
        "dateUpdated": "2026-07-03T12:04:48.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42585 (GCVE-0-2026-42585)

    Vulnerability from nvd – Published: 2026-05-13 18:12 – Updated: 2026-05-15 20:34
    VLAI
    Title
    Netty: HTTP Request Smuggling due to malformed Transfer-Encoding
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42585",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T20:33:59.288432Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T20:34:21.305Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:13:17.497Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv"
            }
          ],
          "source": {
            "advisory": "GHSA-38f8-5428-x5cv",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HTTP Request Smuggling due to malformed Transfer-Encoding"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42585",
        "datePublished": "2026-05-13T18:12:39.586Z",
        "dateReserved": "2026-04-28T17:26:12.086Z",
        "dateUpdated": "2026-05-15T20:34:21.305Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42584 (GCVE-0-2026-42584)

    Vulnerability from nvd – Published: 2026-05-13 18:10 – Updated: 2026-07-01 12:05
    VLAI
    Title
    Netty: HttpClientCodec response desynchronization
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.27.4     cpe:/a:redhat:quarkus:3.27::el8
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.33.2     cpe:/a:redhat:quarkus:3.33::el8
    Create a notification for this product.
    Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat AMQ Clients     cpe:/a:redhat:amq_clients:2023
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
    Create a notification for this product.
    Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42584",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T18:35:01.642953Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T18:35:05.734Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.28::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.28",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.27::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.27.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.33::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.33.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:serverless:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Serverless",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_clients:2023"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Clients",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_spring_boot:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apache Camel for Spring Boot 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apicurio_registry:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:debezium:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Debezium 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:optaplanner:::el6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OptaPlanner 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3"
                ],
                "defaultStatus": "affected",
                "product": "streams for Apache Kafka 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2"
                ],
                "defaultStatus": "unaffected",
                "product": "streams for Apache Kafka 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-13T18:10:48.437Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-444",
                    "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T12:05:04.614Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-42584"
              },
              {
                "name": "RHBZ#2477224",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:28010"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23808"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24502"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23808: Red Hat build of Quarkus 3.27.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24502: Red Hat build of Quarkus 3.33.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-13T19:01:51.846Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-13T18:10:48.437Z",
                "value": "Made public."
              }
            ],
            "title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:10:48.437Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
            }
          ],
          "source": {
            "advisory": "GHSA-57rv-r2g8-2cj3",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HttpClientCodec response desynchronization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42584",
        "datePublished": "2026-05-13T18:10:48.437Z",
        "dateReserved": "2026-04-28T17:26:12.086Z",
        "dateUpdated": "2026-07-01T12:05:04.614Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42580 (GCVE-0-2026-42580)

    Vulnerability from nvd – Published: 2026-05-13 18:04 – Updated: 2026-05-14 18:21
    VLAI
    Title
    Netty: HTTP Request Smuggling due to incorrect chunk size parsing
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42580",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T18:21:08.229314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T18:21:13.322Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:04:03.690Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723"
            }
          ],
          "source": {
            "advisory": "GHSA-m4cv-j2px-7723",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HTTP Request Smuggling due to incorrect chunk size parsing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42580",
        "datePublished": "2026-05-13T18:04:03.690Z",
        "dateReserved": "2026-04-28T17:26:12.085Z",
        "dateUpdated": "2026-05-14T18:21:13.322Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42587 (GCVE-0-2026-42587)

    Vulnerability from cvelistv5 – Published: 2026-05-13 18:22 – Updated: 2026-07-03 12:04
    VLAI
    Title
    Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http2 Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.27.4     cpe:/a:redhat:quarkus:3.27::el8
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.33.2     cpe:/a:redhat:quarkus:3.33::el8
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 2.9.4     cpe:/a:redhat:amq_streams:2.9::el9
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat AMQ Clients     cpe:/a:redhat:amq_clients:2023
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
    Create a notification for this product.
    Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
    Create a notification for this product.
    Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42587",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T18:43:31.138358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:52:26.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.28::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.28",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.27::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.27.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.33::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.33.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 2.9.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:serverless:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Serverless",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_clients:2023"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Clients",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_spring_boot:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apache Camel for Spring Boot 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apicurio_registry:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:debezium:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Debezium 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:optaplanner:::el6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OptaPlanner 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2"
                ],
                "defaultStatus": "affected",
                "product": "streams for Apache Kafka 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3"
                ],
                "defaultStatus": "affected",
                "product": "streams for Apache Kafka 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-13T18:22:21.699Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:48.821Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-42587"
              },
              {
                "name": "RHBZ#2477220",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477220"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42587.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:28010"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23808"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24502"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34608"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23808: Red Hat build of Quarkus 3.27.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24502: Red Hat build of Quarkus 3.33.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-13T19:01:35.415Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-13T18:22:21.699Z",
                "value": "Made public."
              }
            ],
            "title": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http2",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:22:21.699Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
            }
          ],
          "source": {
            "advisory": "GHSA-f6hv-jmp6-3vwv",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42587",
        "datePublished": "2026-05-13T18:22:21.699Z",
        "dateReserved": "2026-04-28T17:26:12.086Z",
        "dateUpdated": "2026-07-03T12:04:48.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42585 (GCVE-0-2026-42585)

    Vulnerability from cvelistv5 – Published: 2026-05-13 18:12 – Updated: 2026-05-15 20:34
    VLAI
    Title
    Netty: HTTP Request Smuggling due to malformed Transfer-Encoding
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42585",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T20:33:59.288432Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T20:34:21.305Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:13:17.497Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv"
            }
          ],
          "source": {
            "advisory": "GHSA-38f8-5428-x5cv",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HTTP Request Smuggling due to malformed Transfer-Encoding"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42585",
        "datePublished": "2026-05-13T18:12:39.586Z",
        "dateReserved": "2026-04-28T17:26:12.086Z",
        "dateUpdated": "2026-05-15T20:34:21.305Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42584 (GCVE-0-2026-42584)

    Vulnerability from cvelistv5 – Published: 2026-05-13 18:10 – Updated: 2026-07-01 12:05
    VLAI
    Title
    Netty: HttpClientCodec response desynchronization
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9     cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.27.4     cpe:/a:redhat:quarkus:3.27::el8
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.33.2     cpe:/a:redhat:quarkus:3.33::el8
    Create a notification for this product.
    Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat AMQ Clients     cpe:/a:redhat:amq_clients:2023
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
    Create a notification for this product.
    Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42584",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T18:35:01.642953Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T18:35:05.734Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cryostat 4 on RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.28::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.28",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.27::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.27.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3.33::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Quarkus 3.33.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:serverless:1"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Serverless",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_clients:2023"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat AMQ Clients",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_spring_boot:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apache Camel for Spring Boot 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apicurio_registry:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Apicurio Registry 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:debezium:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of Debezium 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:build_keycloak:"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Keycloak",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:optaplanner:::el6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat build of OptaPlanner 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3"
                ],
                "defaultStatus": "affected",
                "product": "streams for Apache Kafka 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2"
                ],
                "defaultStatus": "unaffected",
                "product": "streams for Apache Kafka 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-13T18:10:48.437Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-444",
                    "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T12:05:04.614Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-42584"
              },
              {
                "name": "RHBZ#2477224",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:28010"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23808"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24502"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23808: Red Hat build of Quarkus 3.27.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:24502: Red Hat build of Quarkus 3.33.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-13T19:01:51.846Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-13T18:10:48.437Z",
                "value": "Made public."
              }
            ],
            "title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:10:48.437Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
            }
          ],
          "source": {
            "advisory": "GHSA-57rv-r2g8-2cj3",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HttpClientCodec response desynchronization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42584",
        "datePublished": "2026-05-13T18:10:48.437Z",
        "dateReserved": "2026-04-28T17:26:12.086Z",
        "dateUpdated": "2026-07-01T12:05:04.614Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42580 (GCVE-0-2026-42580)

    Vulnerability from cvelistv5 – Published: 2026-05-13 18:04 – Updated: 2026-05-14 18:21
    VLAI
    Title
    Netty: HTTP Request Smuggling due to incorrect chunk size parsing
    Summary
    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    io.netty netty-codec-http Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
    Affected: < 4.1.133.Final
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42580",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T18:21:08.229314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T18:21:13.322Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "netty",
              "vendor": "netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            },
            {
              "product": "netty-codec-http",
              "vendor": "io.netty",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.133.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T18:04:03.690Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723"
            }
          ],
          "source": {
            "advisory": "GHSA-m4cv-j2px-7723",
            "discovery": "UNKNOWN"
          },
          "title": "Netty: HTTP Request Smuggling due to incorrect chunk size parsing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42580",
        "datePublished": "2026-05-13T18:04:03.690Z",
        "dateReserved": "2026-04-28T17:26:12.085Z",
        "dateUpdated": "2026-05-14T18:21:13.322Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }