Request-Line Validation Bypass in Netty Framework
CVE-2026-41417

5.3MEDIUM

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-41417?

A vulnerability in the Netty framework allows an attacker to bypass request-line validation when creating a DefaultHttpRequest or DefaultFullHttpRequest. The integrity check on the URI, which is performed during construction, is ignored when the URI is later modified using setUri(). This omission permits the injection of CRLF characters and whitespace into the request line, potentially leading to malicious HTTP request smuggling and RTSP request injection attacks. This vulnerability poses significant risks if attacker-controlled input successfully alters the request, facilitating desynchronization or unexpected behaviors in client-server interactions. The issue has been addressed in versions 4.2.13.Final and 4.1.133.Final of the Netty framework.

Affected Version(s)

netty >= 4.2.0.Alpha1, <= 4.2.12.Final <= 4.2.0.Alpha1, 4.2.12.Final

netty <= 4.1.132.Final <= 4.1.132.Final

References

https://github.com/netty/netty/security/advisories/GHSA-v...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41417 Data

JSON