CVE-2026-42584

Netty: HttpClientCodec response desynchronization

Assigner: GitHub_M
Reserved: 28.04.2026 Published: 13.05.2026 Updated: 13.05.2026

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 7.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	netty
Product	netty
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected Version < 4.1.133.Final is affected

Vendor

netty

Product

netty

Versions

Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected
Version < 4.1.133.Final is affected

Vendor	io.netty
Product	netty-codec-http
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected Version < 4.1.133.Final is affected

Vendor

io.netty

Product

netty-codec-http

Versions

Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected
Version < 4.1.133.Final is affected

References

Problem Types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE

CVE-2026-42584 PUBLISHED

Netty: HttpClientCodec response desynchronization

Metrics

Product Status

References

Problem Types