Java HTTP Parser Vulnerability in Netty Incubator Codec by Netty
CVE-2026-41207
6.9MEDIUM
What is CVE-2026-41207?
The netty incubator codec.bhttp is a Java-based binary HTTP parser that encountered an issue prior to version 0.0.21.Final. Specifically, the HKDF_expand function would return non-NULL values even when it failed, leading to zero-filled output without a clear indication of error. This behavior accidentally generates an all-zero key for AEAD response encryption, rendering it predictable to attackers. This flaw has been rectified in version 0.0.21.Final, enhancing the security of key material generation and overall encryption integrity.
Affected Version(s)
netty-incubator-codec-ohttp < 0.0.21.Final
