CVE-2026-48480
The netty incubator codec.bhttp is a java language binary http parser
Published: 2026-06-04 · Last updated: 2026-06-05
Severity and scoring
- CWE
- CWE-325
Description
The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-45446 — Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authe... (4.8 MEDIUM)
- CVE-2026-45445 — Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied... (7.5 HIGH)
- CVE-2026-42770 — Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgro... (3.7 LOW)
- CVE-2026-0420 — An improper implementation of TLS certificate validation vulnerability found in ReadyCloud client app which can allow an attacker to perf...
- CVE-2026-4258 — All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validat... (7.5 HIGH)