CVE-2026-42580

MEDIUM

Netty: HTTP Request Smuggling due to incorrect chunk size parsing

Title source: cna

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723

Scores

CVSS v3 6.5

EPSS 0.0036

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-190 CWE-444

Status published

Products (7)

io.netty/netty-codec-http 0 - 4.1.133.FinalMaven

io.netty/netty-codec-http 4.2.0.Alpha1 - 4.2.13.FinalMaven

io.netty/netty-codec-http < 4.1.133.Final

io.netty/netty-codec-http >= 4.2.0.Alpha1, < 4.2.13.Final

netty/netty < 4.1.133

netty/netty < 4.1.133.Final

netty/netty >= 4.2.0.Alpha1, < 4.2.13.Final

Published May 13, 2026

Tracked Since May 14, 2026