CVE-2026-42580 PUBLISHED

Netty: HTTP Request Smuggling due to incorrect chunk size parsing

Assigner: GitHub_M
Reserved: 28.04.2026 Published: 13.05.2026 Updated: 13.05.2026

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	netty
Product	netty
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected Version < 4.1.133.Final is affected

Vendor	io.netty
Product	netty-codec-http
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected Version < 4.1.133.Final is affected

References

https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723

Problem Types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE
CWE-190: Integer Overflow or Wraparound CWE