Java-based HTTP Parser Vulnerability in Netty by Vendor Netty
CVE-2026-48040
6.8MEDIUM
What is CVE-2026-48040?
The Netty incubator codec.bhttp, a Java-based HTTP parser, has a vulnerability that allows an unauthenticated network attacker to exploit memory corruption. This occurs when default settings prevent the library from accessing native memory addresses due to restrictions on sun.misc.Unsafe. Consequently, the OHTTP gateway can be manipulated to expose sensitive information from adjacent pooled direct buffers. Even if cryptographic operations fail, the zeroizing of output buffers by BoringSSL can still lead to sensitive data leaks. To mitigate these risks, it is crucial to update to version 0.0.22.Final, which addresses these vulnerabilities.
Affected Version(s)
netty-incubator-codec-ohttp < 0.0.22.Final
