PatchSiren cyber security CVE debrief
CVE-2026-48480 netty CVE debrief
CVE-2026-48480 is a MEDIUM severity vulnerability in the Netty Incubator Codec OHTTP, a Java language binary HTTP parser. Prior to version 0.0.22.Final, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. This allows an on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) to forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. The issue is fixed in version 0.0.22.Final.
- Vendor
- netty
- Product
- netty-incubator-codec-ohttp
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Users of Netty Incubator Codec OHTTP prior to version 0.0.22.Final should update to the latest version to mitigate this vulnerability.
Technical summary
The Netty Incubator Codec OHTTP is vulnerable to a prefix forwarding attack due to improper verification of cryptographically-signed final chunks in chunked-OHTTP messages.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 0.0.22.Final or later of Netty Incubator Codec OHTTP.
Evidence notes
The CVE-2026-48480 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-48480) and details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-48480). Additional information is available at [ref-4](https://github.com/netty/netty-incubator-codec-ohttp/commit/28f977f293591a4e837bd59ceb441f9f70349915) and [ref-5](https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-r6fj-869h-4f6q).
Official resources
CVE-2026-48480 was published on 2026-06-04T19:16:30.253Z and modified on 2026-06-05T16:00:09.370Z.