netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures
CVE-2026-41207

6.9MEDIUM

Key Information:

Vendor: Netty
Status: Netty-incubator-codec-ohttp
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-41207?

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

Affected Version(s)

netty-incubator-codec-ohttp < 0.0.21.Final

References

https://github.com/netty/netty-incubator-codec-ohttp/secu...

x_refsource_CONFIRM

https://github.com/netty/netty-incubator-codec-ohttp/comm...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41207 Data

JSON

Netty

What is CVE-2026-41207?

Affected Version(s)

References

CVSS V4

Timeline