Network Application Framework Vulnerability in Netty by The Netty Company
CVE-2026-42584

7.3HIGH

Key Information:

Vendor: Netty
Status: Netty; Netty-codec-http
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42584?

The vulnerability in Netty's HttpClientCodec allows for improper pairing of inbound responses with outbound requests due to the queue.poll() mechanism. This issue arises particularly in scenarios where 1xx responses are involved, leading to unintended behavior in HTTP response processing. If a client requests both a GET and HEAD but the server first sends a 103 followed by two 200 responses, the HEAD request incorrectly reads the GET response's data, causing parsing errors. Proper handling is essential to ensure that application responses are processed correctly, and this issue is resolved in versions 4.2.13.Final and 4.1.133.Final.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

netty-codec-http >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

References

https://github.com/netty/netty/security/advisories/GHSA-5...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42584 Data

JSON