CVE-2026-42580

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

CVSS breakdown

Affected products

• io.netty / netty-codec-http>= 4.2.0.Alpha1, < 4.2.13.Final – >= 4.2.0.Alpha1, < 4.2.13.Final
• io.netty / netty-codec-http< 4.1.133.Final – < 4.1.133.Final
• netty / netty>= 4.2.0.Alpha1, < 4.2.13.Final – >= 4.2.0.Alpha1, < 4.2.13.Final
• netty / netty< 4.1.133.Final – < 4.1.133.Final

References

• VENDOR_ADVISORYhttps://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723