Bug 2477232 (CVE-2026-42581) - CVE-2026-42581 netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers
Summary: CVE-2026-42581 netty: io.netty/netty-codec-http: Netty: HTTP Request Smugglin...
Keywords:
Status: NEW
Alias: CVE-2026-42581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2482503
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-13 19:02 UTC by OSIDB Bzimport
Modified: 2026-07-09 15:30 UTC (History)
109 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:28010 0 None None None 2026-06-22 17:16:06 UTC
Red Hat Product Errata RHSA-2026:37390 0 None None None 2026-07-09 15:30:45 UTC

Description OSIDB Bzimport 2026-05-13 19:02:49 UTC
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Comment 3 errata-xmlrpc 2026-06-22 17:16:00 UTC
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:28010 https://access.redhat.com/errata/RHSA-2026:28010

Comment 4 errata-xmlrpc 2026-07-09 15:30:39 UTC
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16

Via RHSA-2026:37390 https://access.redhat.com/errata/RHSA-2026:37390


Note You need to log in before you can comment on or make changes to this bug.