CVE-2026-42584

7.3 HIGH

Netty is an asynchronous, event-driven network application framework

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS: 7.3 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-444

Affected products

Vendor	Product
netty	netty

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42584
[Vendor advisory]https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3
[Vendor advisory]https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3

Related CVEs

Same vendor

CVE-2026-50560 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
CVE-2026-50020 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
CVE-2026-50011 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
CVE-2026-50010 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
CVE-2026-50009 — Netty is a network application framework for development of protocol servers and clients (4.8 MEDIUM)

Same CWE

CVE-2026-50020 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
CVE-2026-46342 — Nuxt is an open-source web development framework for Vue.js (5.4 MEDIUM)
CVE-2026-6338 — A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series
CVE-2026-41853 — Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
CVE-2026-44546 — daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)