CVE-2026-33870
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| netty | netty | < 4.1.132.Final | affected |
| netty | netty | >= 4.2.0.Alpha1, < 4.2.10.Final | affected |
Weaknesses
- CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values
Additional References
- https://access.redhat.com/security/cve/CVE-2026-33870
- https://bugzilla.redhat.com/show_bug.cgi?id=2452453
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33870.json
- https://access.redhat.com/errata/RHSA-2026:18054
- https://access.redhat.com/errata/RHSA-2026:17789
- https://access.redhat.com/errata/RHSA-2026:18055
- https://access.redhat.com/errata/RHSA-2026:14276
- https://access.redhat.com/errata/RHSA-2026:14272
- https://access.redhat.com/errata/RHSA-2026:8509
- https://access.redhat.com/errata/RHSA-2026:8159
- https://access.redhat.com/errata/RHSA-2026:22619
- https://access.redhat.com/errata/RHSA-2026:18059
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:10175
- https://access.redhat.com/errata/RHSA-2026:17668
- https://access.redhat.com/errata/RHSA-2026:7109
- https://access.redhat.com/errata/RHSA-2026:7380
- https://access.redhat.com/errata/RHSA-2026:34608
- https://access.redhat.com/errata/RHSA-2026:13571
References
- https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8
- https://w4ke.info/2025/06/18/funky-chunks.html
- https://w4ke.info/2025/10/29/funky-chunks-2.html
- https://www.rfc-editor.org/rfc/rfc9110
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.