QSearchQSearch

CVE-2026-42585

6.5 MEDIUM

Netty is an asynchronous, event-driven network application framework

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS
6.5 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-444

Affected products

VendorProduct
nettynetty

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-48040 The netty incubator codec.bhttp is a java language binary http parser (9.1 CRITICAL)
  • CVE-2026-41207 The netty incubator codec.bhttp is a java language binary http parser (5.3 MEDIUM)
  • CVE-2026-44248 Netty is an asynchronous, event-driven network application framework (5.3 MEDIUM)
  • CVE-2026-42587 Netty is an asynchronous, event-driven network application framework (7.5 HIGH)
  • CVE-2026-42586 Netty is an asynchronous, event-driven network application framework (6.8 MEDIUM)

Same CWE

  • CVE-2026-41853 Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
  • CVE-2026-44546 daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)
  • CVE-2026-50052 In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend r...
  • CVE-2026-49753 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-contro...
  • CVE-2026-45372 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library (9.9 CRITICAL)