Request Smuggling Vulnerability in Netty Framework by Ethernet
CVE-2026-42581

5.8MEDIUM

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42581?

The Netty framework is susceptible to a request smuggling vulnerability affecting its HTTP message handling. This arises when an HTTP/1.0 request is sent with both 'Content-Length' and 'Transfer-Encoding: chunked' headers. In such cases, the Netty framework processes the body as chunked despite retaining the 'Content-Length' header, which can mislead downstream proxies or handlers that prioritize 'Content-Length' over 'Transfer-Encoding'. This discrepancy can result in message boundary issues, making it possible for attackers to exploit the vulnerability for malicious purposes. Users are advised to upgrade to Netty versions 4.2.13.Final or 4.1.133.Final to mitigate this issue. For further details, visit the official advisory.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

References

https://github.com/netty/netty/security/advisories/GHSA-x...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42581 Data

JSON