Bug 2477224 (CVE-2026-42584) - CVE-2026-42584 netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion
Summary: CVE-2026-42584 netty: io.netty/netty-codec-http: Netty: Incorrect HTTP respon...
Keywords:
Status: NEW
Alias: CVE-2026-42584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2482499
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-13 19:02 UTC by OSIDB Bzimport
Modified: 2026-05-28 10:16 UTC (History)
106 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-13 19:02:14 UTC 
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Note You need to log in before you can comment on or make changes to this bug.