CVE-2026-42580

🗓️ 13 May 2026 18:04:03Reported by GitHub_MType

CVE-2026-42580: Netty HTTP request smuggling from chunk size parsing overflow; fixed in 4.2.13.Final and 4.1.133.Final.

Reporter	Title	Published	Views	Family All 107
IBM Security Bulletins	Security Bulletin: DevOps Test Performance contains vulnerabilities related to use of netty-codec-http	19 May 202619:19	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect for Manufacturing is vulnerable to multiple vulnerabilities due to Netty	21 May 202616:11	–	ibm
Chainguard	CVE-2026-42580 vulnerabilities	8 May 202601:17	–	cgr
Circl	CVE-2026-42580	5 May 202618:09	–	circl
CNNVD	Netty 输入验证错误漏洞	13 May 202600:00	–	cnnvd
Cvelist	CVE-2026-42580 Netty: HTTP Request Smuggling due to incorrect chunk size parsing	13 May 202618:04	–	cvelist
Debian CVE	CVE-2026-42580	13 May 202618:04	–	debiancve
Github Security Blog	Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing	7 May 202600:13	–	github
NVD	CVE-2026-42580	13 May 202619:17	–	nvd
OSV	CGA-XCQ7-9MQX-6HMQ	7 May 202615:46	–	osv

NVD

Vulners

Node

netty nettyRange<4.1.133

netty nettyRange4.2.0–4.2.13

[
  {
    "vendor": "netty",
    "product": "netty",
    "versions": [
      {
        "version": ">= 4.2.0.Alpha1, < 4.2.13.Final",
        "status": "affected"
      },
      {
        "version": "< 4.1.133.Final",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "io.netty",
    "product": "netty-codec-http",
    "versions": [
      {
        "version": ">= 4.2.0.Alpha1, < 4.2.13.Final",
        "status": "affected"
      },
      {
        "version": "< 4.1.133.Final",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723

18 May 2026 14:03Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.5

EPSS0.00016

SSVC