Bug 2477227 (CVE-2026-42585)

Summary: CVE-2026-42585 netty: io.netty/netty-codec-http: Netty: Request smuggling via malformed Transfer-Encoding parsing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, anthomas, ant, aschwart, asoldano, aszczucz, ataylor, avibelli, bbaranow, bbrownin, bgeorges, bmaxwell, boliveir, bstansbe, ccranfor, cescoffi, chfoley, cmah, dandread, dbruscin, dhanak, dkreling, dlofthou, drichtar, drosa, dsimansk, eaguilar, ebaron, ehelms, ewittman, fmariani, fmongiar, ggainey, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jkoehler, jmartisk, jnethert, jolong, jpechane, jrokos, juwatts, jwon, kaycoth, kgaikwad, kingland, kvanderr, kverlaen, lphiri, lthon, manderse, mcarlett, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, olubyans, osousa, pantinor, pberan, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rexwhite, rgodfrey, rguimara, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tcunning, thjenkin, tmalecek, tqvarnst, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty. This vulnerability allows a remote attacker to perform request smuggling attacks due to incorrect parsing of malformed Transfer-Encoding headers. By exploiting this flaw, an attacker can bypass security controls and potentially access sensitive information or manipulate web traffic.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2482692    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-13 19:02:28 UTC 
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.