PatchSiren cyber security CVE debrief
CVE-2026-42584 Netty CVE debrief
CVE-2026-42584 is a Netty HTTP client desynchronization issue affecting versions before 4.1.133.Final and 4.2.13.Final. In the vulnerable flow, HttpClientCodec can pair inbound responses to outbound requests incorrectly when pipelined requests include a GET followed by a HEAD and the server sends a 103 interim response, then a 200 for the GET body, then a 200 for the HEAD. The mismatch can cause the HEAD handling logic to skip reading a body it thinks belongs to the HEAD response, leaving the GET entity bytes on the stream and causing the next response to be parsed from the wrong offset. The result is protocol confusion with potential confidentiality, integrity, and availability impact, consistent with the reported CVSS 7.3 HIGH rating and CWE-444.
- Vendor
- Netty
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Teams that use Netty as an HTTP client, especially where request pipelining is enabled or possible. Security and platform engineers should prioritize services that can issue mixed request methods such as GET and HEAD over the same connection, since the issue is triggered by response/request pairing under pipelined traffic.
Technical summary
According to the CVE description and the linked Netty advisory, HttpClientCodec advances its outbound request queue once per inbound response, including 1xx informational responses. In the reported sequence, a 103 interim response consumes a queue entry, leading the later 200 response to be associated with the wrong request. Because the request is interpreted as HEAD, body consumption is skipped, which leaves unread bytes from the prior GET response on the stream. Subsequent parsing then starts at the wrong offset, producing HTTP message desynchronization. The vulnerable version ranges in the official record end before 4.1.133.Final and before 4.2.13.Final.
Defensive priority
High. This is a network-reachable parsing flaw with no privileges or user interaction required, and it can disrupt HTTP message integrity across a client connection. Prioritize patching internet-facing or high-value services that use Netty HTTP client pipelining, then validate that no affected versions remain in production or embedded dependencies.
Recommended defensive actions
- Upgrade Netty to 4.1.133.Final or later, or to 4.2.13.Final or later, as applicable to your release line.
- Audit applications and libraries for transitive Netty dependencies so older vulnerable versions are not reintroduced indirectly.
- Review client code paths that pipeline HTTP requests, especially mixed-method sequences involving GET and HEAD.
- If immediate upgrade is not possible, reduce exposure by avoiding pipelined HTTP/1.1 request patterns on affected clients until remediation is complete.
- Add dependency and runtime checks in CI/CD and asset inventory processes to flag affected Netty versions.
Evidence notes
The CVE record was published on 2026-05-13 and modified on 2026-05-18. The official NVD record marks the issue as analyzed and maps affected versions to Netty before 4.1.133 and before 4.2.13. The linked GitHub Security Advisory is the vendor advisory referenced by NVD and is the primary source for the described response-pairing behavior and fix ranges. No KEV entry was provided in the supplied corpus.
Official resources
-
CVE-2026-42584 CVE record
CVE.org
-
CVE-2026-42584 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE published 2026-05-13T19:17:24.043Z and last modified 2026-05-18T12:15:02.740Z.