Java HTTP Parser Vulnerability in Netty Incubator Codec by Netty
CVE-2026-41207

6.9MEDIUM

Key Information:

Vendor

Netty

Vendor
CVE Published:
4 June 2026

What is CVE-2026-41207?

The netty incubator codec.bhttp is a Java-based binary HTTP parser that encountered an issue prior to version 0.0.21.Final. Specifically, the HKDF_expand function would return non-NULL values even when it failed, leading to zero-filled output without a clear indication of error. This behavior accidentally generates an all-zero key for AEAD response encryption, rendering it predictable to attackers. This flaw has been rectified in version 0.0.21.Final, enhancing the security of key material generation and overall encryption integrity.

Affected Version(s)

netty-incubator-codec-ohttp < 0.0.21.Final

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.