Request Smuggling Vulnerability in Netty Framework Affects Multiple Versions
CVE-2026-42580

6.5MEDIUM

Key Information:

Vendor: Netty
Status: Netty; Netty-codec-http
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42580?

A vulnerability in the Netty framework allows for request smuggling attacks due to a silently overflowing int in the chunk size parser. This issue impacts versions prior to 4.2.13.Final and 4.1.133.Final. Users are recommended to upgrade to the latest versions to mitigate potential security risks.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

netty-codec-http >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

References

https://github.com/netty/netty/security/advisories/GHSA-m...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42580 Data

JSON