CVE-2026-41207

MEDIUM

netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures

Title source: cna

Description

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f659-372h-6x3x

X_Refsource_Misc x_refsource_misc

https://github.com/netty/netty-incubator-codec-ohttp/commit/3d3b4e527fc82ad0fe3db1af951ffd0ec9a10680

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0032

EPSS Percentile 23.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-330

Status published

Products (3)

io.netty.incubator/netty-incubator-codec-ohttp 0 - 0.0.21.FinalMaven

netty/netty-incubator-codec-ohttp < 0.0.21

netty/netty-incubator-codec-ohttp < 0.0.21.Final

Published Jun 04, 2026

Tracked Since Jun 04, 2026