PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41207 Netty CVE debrief

The Netty-Incubator-Codec-Ohttp, a Java language binary HTTP parser, has a vulnerability in its HKDF (Keyed-Hash Message Authentication Code) key material generation. Prior to version 0.0.21.Final, the HKDF_expand function returns a non-NULL value on failure, which is a byte array filled with zeros. This makes it impossible to distinguish between a successful and failed operation. The output of this function is used as key material for the response AEAD (Authenticated Encryption with Associated Data). Consequently, a failure in HKDF_expand silently results in an all-zero key. Furthermore, when EVP_HPKE_CTX_export fails, it also returns an empty byte array filled with zeros. This empty byte array is directly used in OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key.

Vendor
Netty
Product
Netty-Incubator-Codec-Ohttp
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of Netty-Incubator-Codec-Ohttp versions prior to 0.0.21.Final should be concerned about this vulnerability. The vulnerability has a CVSS score of 6.9, indicating a medium severity level.

Technical summary

The vulnerability arises from the HKDF_expand function in Netty-Incubator-Codec-Ohttp returning a non-NULL value (a byte array filled with zeros) on failure. This leads to the generation of a predictable AEAD key when used in cryptographic operations.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to version 0.0.21.Final or later of Netty-Incubator-Codec-Ohttp.
  • Review and update any systems or applications using vulnerable versions of Netty-Incubator-Codec-Ohttp.

Evidence notes

The vulnerability is confirmed by the vendor's advisory and CVE record.

Official resources

CVE-2026-41207 was published on 2026-06-04T18:16:30.433Z and modified on 2026-06-05T21:01:26.883Z.