CVE-2026-42580

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected Software

VendorProductVersion RangeStatus
nettynetty>= 4.2.0.Alpha1, < 4.2.13.Finalaffected
nettynetty< 4.1.133.Finalaffected
io.nettynetty-codec-http>= 4.2.0.Alpha1, < 4.2.13.Finalaffected
io.nettynetty-codec-http< 4.1.133.Finalaffected

Weaknesses

  • CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
  • CWE-190: CWE-190: Integer Overflow or Wraparound

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References