CVE-2026-41207
- Source
- https://cve.org/CVERecord?id=CVE-2026-41207
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41207.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-41207
- Aliases
- Published
- 2026-06-04T17:22:35.742Z
- Modified
- 2026-06-18T03:57:18.715540332Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures
- Details
-
The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDFexpand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVPHPKECTXexport fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-330" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41207.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41207.json
- https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f659-372h-6x3x
- https://nvd.nist.gov/vuln/detail/CVE-2026-41207
- https://github.com/netty/netty-incubator-codec-ohttp/commit/3d3b4e527fc82ad0fe3db1af951ffd0ec9a10680
Affected packages
Git / github.com/netty/netty-incubator-codec-ohttp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/netty/netty-incubator-codec-ohttp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Database specific
{ "cpe": "cpe:2.3:a:netty:netty-incubator-codec-ohttp:*:*:*:*:*:*:*:*", "source": [ "CPE_RANGE", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "0.0.21" } ] }
Affected versions
netty-incubator-codec-parent-ohttp-0.*
netty-incubator-codec-parent-ohttp-0.0.1.Final
netty-incubator-codec-parent-ohttp-0.0.10.Final
netty-incubator-codec-parent-ohttp-0.0.11.Final
netty-incubator-codec-parent-ohttp-0.0.12.Final
netty-incubator-codec-parent-ohttp-0.0.13.Final
netty-incubator-codec-parent-ohttp-0.0.14.Final
netty-incubator-codec-parent-ohttp-0.0.15.Final
netty-incubator-codec-parent-ohttp-0.0.16.Final
netty-incubator-codec-parent-ohttp-0.0.17.Final
netty-incubator-codec-parent-ohttp-0.0.18.Final
netty-incubator-codec-parent-ohttp-0.0.19.Final
netty-incubator-codec-parent-ohttp-0.0.2.Final
netty-incubator-codec-parent-ohttp-0.0.20.Final
netty-incubator-codec-parent-ohttp-0.0.3.Final
netty-incubator-codec-parent-ohttp-0.0.4.Final
netty-incubator-codec-parent-ohttp-0.0.5.Final
netty-incubator-codec-parent-ohttp-0.0.6.Final
netty-incubator-codec-parent-ohttp-0.0.7.Final
netty-incubator-codec-parent-ohttp-0.0.8.Final
netty-incubator-codec-parent-ohttp-0.0.9.Final