netty-incubator-codec-ohttp OHttpVersionChunkDraft's Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation
CVE-2026-48480

6.6MEDIUM

Key Information:

Vendor: Netty
Status: Netty-incubator-codec-ohttp
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-48480?

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue.

Affected Version(s)

netty-incubator-codec-ohttp < 0.0.22.Final

References

https://github.com/netty/netty-incubator-codec-ohttp/secu...

x_refsource_CONFIRM

https://github.com/netty/netty-incubator-codec-ohttp/comm...

x_refsource_MISC

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48480 Data

JSON

Netty

What is CVE-2026-48480?

Affected Version(s)

References

CVSS V4

Timeline