Buffer Overflow in Netty Framework Affects Network Applications
CVE-2026-42582

7.5HIGH

Key Information:

Vendor: Netty
Status: Netty; Netty-codec-http3
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42582?

A buffer overflow vulnerability has been identified in the Netty Framework prior to version 4.2.13.Final. This issue arises when decoding header blocks; specifically, the non-Huffman branch of the QpackDecoder may attempt to allocate a byte array without validating the specified length against the number of available readable bytes. This can lead to potential service disruptions or other unexpected behavior in applications utilizing affected versions of the Netty Framework.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final

netty-codec-http3 >= 4.2.0.Alpha1, < 4.2.13.Final

References

https://github.com/netty/netty/security/advisories/GHSA-2...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42582 Data

JSON