CVE-2026-42580

MEDIUM6.5EPSS 0.02%

Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing

Published: 5/7/2026Modified: 5/14/2026

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected packages (2)

Debian/nettyfrom 0
Maven/io.netty:netty-codec-http>= 4.2.0.Alpha1, < 4.2.13.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42580
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-42580
PATCHhttps://github.com/netty/netty
WEBhttps://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723