CVE-2026-42584 Netty: HttpClientCodec response desynchronization

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...

CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

CVE-2026-42579 Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit t...

CVE-2026-42579

Summary: CVE-2026-42579 affects the Netty framework’s DNS codec. Affected versions: prior to 4.2.13.Final and 4.1.133.Final. Root cause: DNS encoding/decoding did not enforce RFC 1035 domain name constraints. Impact: potential bidirectional attack surface via malicious DNS responses (decoder) or ...

CVE-2026-42577

Technical details are not publicly available in the provided documents; monitor for updates.

CVE-2026-42577

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100...

CVE-2026-42581

Netty vulnerability CVE-2026-42581 affects Netty in HTTP handling. Before 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder does not clear a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length for HTTP/1.1; HTTP/1.0 requests lack this guard....

Netty 环境问题漏洞

Netty is a non-blocking I/O client-server framework from the Netty community. It is primarily used for developing Java network applications, such as protocol servers and clients. Versions of Netty prior to 4.2.13.Final and 4.1.133.Final contained environmental issues. These issues were caused by...

Netty 注入漏洞

Netty is a non-blocking I/O client-server framework developed by the Netty community. It is primarily used for developing Java network applications, such as protocol servers and clients. Versions of Netty prior to 4.2.13.Final and 4.1.133.Final contained an injection vulnerability. This...

Allocation of Resources Without Limits or Throttling

Overview io.netty:netty-codec is an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Lz4FrameDecoder component. An attacker can cause excessive memory allocation by sending...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the getChunkSize function. An attacker can inject unauthorized HT...

SUSE CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...

CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of...

CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...

CVE-2026-33870 Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...

Netty 环境问题漏洞

Netty is a non-blocking I/O client-server framework from the Netty community. It is primarily used for developing Java network applications, such as protocol servers and clients. Versions of Netty prior to 4.1.132.Final and 4.2.10.Final contained environmental issues. These issues were caused by...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the parsing of quoted strings within chunked transfer encoding...

netty-codec: netty-codec-compression: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack

A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service...

Security Bulletin: Rational Performance Tester contains vulnerabilities related to the Netty framework

Summary Due to the use of Netty, Rational Performance Tester contains vulnerabilities that could allow HTTP request smuggling or a denial of service attack. CVE-2025-58056, CVE-2025-58057 Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network...

CVE-2025-67735

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncod...