CVE-2026-42580 Netty CVE debrief

Who should care

Organizations running Netty-based HTTP servers or proxies, particularly those handling untrusted client traffic directly or behind load balancers. Development teams using Netty for custom protocol implementations with chunked encoding support.

Technical summary

The vulnerability resides in Netty's HTTP decoder when parsing chunked transfer-encoding chunk sizes. A maliciously crafted chunk size value exceeding Integer.MAX_VALUE causes silent integer overflow, resulting in a negative or truncated size value. This boundary miscalculation desynchronizes the HTTP message parser state, enabling request smuggling where subsequent bytes are interpreted as a new HTTP request rather than chunk data. The attack requires network access to the target application but no authentication. Impact is limited to integrity and availability (no confidentiality impact per CVSS).

Defensive priority

medium

Recommended defensive actions

• Upgrade Netty to version 4.1.133.Final or later for the 4.1.x branch, or 4.2.13.Final or later for the 4.2.x branch
• Review application logs for anomalous HTTP chunked transfer-encoding requests that may indicate exploitation attempts
• Implement defense-in-depth by deploying HTTP request smuggling detection at load balancers or reverse proxies fronting Netty applications
• Validate that upstream security controls (WAFs, API gateways) properly normalize chunked encoding to prevent smuggling variants
• Audit custom Netty channel handlers for additional integer overflow risks in length or size parsing logic

Evidence notes

Integer overflow in chunk size parsing (CWE-190) leading to HTTP request smuggling (CWE-444). CVSS 3.1 score 6.5 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. Affected versions confirmed via NVD CPE criteria: all versions before 4.1.133.Final and 4.2.0 through 4.2.12.Final.

Official resources