CVE-2026-42581

critical

Published 2026-05-13 · Modified 2026-05-14

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v2

—

VIR risk

9.8

Description

Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42581

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-42581.html

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9

OS	Version	Status
sles		affected
debian	bookworm	affected
debian	bullseye	affected
debian	forky	affected
debian	sid	affected
debian	trixie	affected

Ecosystem	Package	Vulnerable	Fixed
Maven	io.netty:netty-codec-http	`>=4.2.0.Alpha1,<4.2.13.Final`	`4.2.13.Final`
Maven	io.netty:netty-codec-http	`<4.1.133.Final`	`4.1.133.Final`
MAVEN	io.netty:netty-codec-http	`<= 4.1.132.Final`	`4.1.133.Final`
MAVEN	io.netty:netty-codec-http	`>= 4.2.0.Alpha1, <= 4.2.12.Final`	`4.2.13.Final`

Vendor	Product	Versions	Fixed
netty	netty	`{"endExcluding":"4.1.133"}`	`4.1.133`

CWE-444

Verify integrity in audit chain (admin only). AS-IS.