Bug 2477224 (CVE-2026-42584)
| Summary: | CVE-2026-42584 netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, anthomas, ant, aschwart, asoldano, aszczucz, ataylor, avibelli, bbaranow, bbrownin, bgeorges, bmaxwell, boliveir, bstansbe, ccranfor, cescoffi, chfoley, cmah, dandread, dbruscin, dhanak, dkreling, dlofthou, drichtar, drosa, dsimansk, eaguilar, ebaron, ehelms, ewittman, fmariani, fmongiar, ggainey, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jkoehler, jmartisk, jnethert, jolong, jpechane, jrokos, juwatts, jwon, kaycoth, kgaikwad, kingland, kvanderr, kverlaen, lphiri, lthon, manderse, mcarlett, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, olubyans, osousa, pantinor, pberan, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rexwhite, rgodfrey, rguimara, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tcunning, thjenkin, tmalecek, tqvarnst, vdosoudi, vmuzikar, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2482499 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-05-13 19:02:14 UTC
|