Java-based HTTP Parser Vulnerability in Netty by Vendor Netty
CVE-2026-48040

6.8MEDIUM

Key Information:

Vendor

Netty

Vendor
CVE Published:
4 June 2026

What is CVE-2026-48040?

The Netty incubator codec.bhttp, a Java-based HTTP parser, has a vulnerability that allows an unauthenticated network attacker to exploit memory corruption. This occurs when default settings prevent the library from accessing native memory addresses due to restrictions on sun.misc.Unsafe. Consequently, the OHTTP gateway can be manipulated to expose sensitive information from adjacent pooled direct buffers. Even if cryptographic operations fail, the zeroizing of output buffers by BoringSSL can still lead to sensitive data leaks. To mitigate these risks, it is crucial to update to version 0.0.22.Final, which addresses these vulnerabilities.

Affected Version(s)

netty-incubator-codec-ohttp < 0.0.22.Final

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.