Bug 2452453 (CVE-2026-33870)

Summary: CVE-2026-33870 io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, anthomas, ant, aprice, aschwart, asoldano, aszczucz, ataylor, avibelli, bbaranow, bbrownin, bgeorges, bmaxwell, boliveir, bstansbe, caswilli, ccranfor, cescoffi, chfoley, cmah, dandread, dbruscin, dhanak, dkreling, dlofthou, drichtar, drosa, dsimansk, eaguilar, ebaron, ehelms, ewittman, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jcantril, jkoehler, jmartisk, jnethert, jolong, jpechane, jraez, jrokos, jsamir, juwatts, kaycoth, kgaikwad, kingland, kvanderr, kverlaen, lphiri, lthon, manderse, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, oezr, olubyans, osousa, pantinor, parichar, pberan, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rexwhite, rgodfrey, rguimara, rkubis, rmartinc, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, thjenkin, tmalecek, tqvarnst, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452549    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-27 21:02:24 UTC 
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Comment 2 errata-xmlrpc 2026-04-14 17:20:59 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.14 for Quarkus 3.27

Via RHSA-2026:8159 https://access.redhat.com/errata/RHSA-2026:8159
Comment 3 errata-xmlrpc 2026-04-16 15:32:34 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.14.0

Via RHSA-2026:8509 https://access.redhat.com/errata/RHSA-2026:8509
Comment 4 errata-xmlrpc 2026-05-04 23:38:03 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.2.0

Via RHSA-2026:13571 https://access.redhat.com/errata/RHSA-2026:13571
Comment 5 errata-xmlrpc 2026-05-06 17:59:04 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.5

Via RHSA-2026:14272 https://access.redhat.com/errata/RHSA-2026:14272
Comment 6 errata-xmlrpc 2026-05-06 17:59:54 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.12.7

Via RHSA-2026:14276 https://access.redhat.com/errata/RHSA-2026:14276
Comment 7 errata-xmlrpc 2026-05-14 16:55:32 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14

Via RHSA-2026:17668 https://access.redhat.com/errata/RHSA-2026:17668
Comment 8 errata-xmlrpc 2026-05-18 12:12:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1

Via RHSA-2026:18059 https://access.redhat.com/errata/RHSA-2026:18059
Comment 9 errata-xmlrpc 2026-05-18 12:19:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9

Via RHSA-2026:18055 https://access.redhat.com/errata/RHSA-2026:18055
Comment 10 errata-xmlrpc 2026-05-18 12:22:01 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2026:18054 https://access.redhat.com/errata/RHSA-2026:18054
Comment 11 errata-xmlrpc 2026-05-26 03:54:01 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:17789 https://access.redhat.com/errata/RHSA-2026:17789
Comment 12 errata-xmlrpc 2026-06-02 17:41:04 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.6.1

Via RHSA-2026:22619 https://access.redhat.com/errata/RHSA-2026:22619