101631 matches found
DEBIAN-CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
DEBIAN-CVE-2026-42582
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...
CVE-2026-42587
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...
UBUNTU-CVE-2026-42581
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absen...
UBUNTU-CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
UBUNTU-CVE-2026-42587
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...
CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
UBUNTU-CVE-2026-42584
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...
EUVD-2026-29999
When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM process to terminate. Note: Software versions which have reached End of Technical Support EoTS are...
EUVD-2026-29987
On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel TMM process to terminate. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...
CVE-2026-42587
Netty CVE-2026-42587 affects HttpContentDecompressor and DelegatingDecompressorFrameListener. Before 4.2.13.Final and 4.1.133.Final, maxAllocation is enforced for gzip/deflate but ignored for br, zstd, or snappy, allowing an attacker to bypass the decompression limit via Content-Encoding: br and ...
CVE-2026-42585
Netty CVE-2026-42585 affects Netty prior to versions 4.2.13.Final and 4.1.133.Final, where improper parsing of malformed Transfer-Encoding can enable HTTP request smuggling. Public advisories and OSV entries confirm the issue and that fixes are available in 4.2.13.Final and 4.1.133.Final. Affecte...
CVE-2026-42585 Netty: HTTP Request Smuggling due to malformed Transfer-Encoding
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final...
CVE-2026-42585 Netty: HTTP Request Smuggling due to malformed Transfer-Encoding
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final...
CVE-2026-42584 Netty: HttpClientCodec response desynchronization
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...
CVE-2026-42584
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...
CVE-2026-42582
Netty (HTTP/3) vulnerable in QpackDecoder.decodeHuffmanEncodedLiteral prior to 4.2.13.Final: the non-Huffman path may allocate byte[length] without verifying length
CVE-2026-42582 Netty: HTTP/3 QPACK literal unbounded allocation
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...
CVE-2026-42580
Netty vulnerability CVE-2026-42580: The chunk size parser in Netty before 4.2.13.Final and 4.1.133.Final silently overflows an int, enabling HTTP request smuggling. Affected: Netty versions prior to the fixed releases. Impact: potential request smuggling with LOW to MEDIUM described CVSS factors ...
CVE-2026-42578 Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...