CVE-2026-42587

high

Published 2026-05-13 · Modified 2026-05-14

CVSS v3

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

7.5

Description

Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42587

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-42587.html

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv

OS	Version	Status
sles		affected
debian	bookworm	affected
debian	bullseye	affected
debian	forky	affected
debian	sid	affected
debian	trixie	affected

Ecosystem	Package	Vulnerable	Fixed
Maven	io.netty:netty-codec-http	`>=4.2.0.Alpha1,<4.2.13.Final`	`4.2.13.Final`
Maven	io.netty:netty-codec-http2	`>=4.2.0.Alpha1,<4.2.13.Final`	`4.2.13.Final`
Maven	io.netty:netty-codec-http	`<4.1.133.Final`	`4.1.133.Final`
Maven	io.netty:netty-codec-http2	`<4.1.133.Final`	`4.1.133.Final`
MAVEN	io.netty:netty-codec-http2	`<= 4.1.132.Final`	`4.1.133.Final`
MAVEN	io.netty:netty-codec-http	`<= 4.1.132.Final`	`4.1.133.Final`
MAVEN	io.netty:netty-codec-http2	`>= 4.2.0.Alpha1, <= 4.2.12.Final`	`4.2.13.Final`
MAVEN	io.netty:netty-codec-http	`>= 4.2.0.Alpha1, <= 4.2.12.Final`	`4.2.13.Final`

Vendor	Product	Versions	Fixed
netty	netty	`{"endExcluding":"4.1.133"}`	`4.1.133`

CWE-400

Verify integrity in audit chain (admin only). AS-IS.