CVE-2026-42581

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-42581

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42581.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-42581

Aliases

GHSA-xxqh-mfjm-7mv9

Downstream

CLEANSTART-2026-VJ37814

DEBIAN-CVE-2026-42581

MINI-26q6-785r-98p3

MINI-277r-c36x-67qj

MINI-2mgm-642c-pxq8

MINI-38xj-rmc9-w2fc

MINI-3f5m-x4cx-5qcv

MINI-3rgr-9g29-jv83

MINI-3w9w-4fjr-h3qf

MINI-4fgw-6p4h-g7gj

MINI-4x3f-wrfv-hr33

MINI-55ff-7m8v-c793

MINI-566r-mv6h-649c

MINI-58w8-32gh-f9f4

MINI-5gvp-2fh9-4cj2

MINI-675h-mj4v-gwc6

MINI-67q6-gv58-69w3

MINI-68hh-prw7-5pw9

MINI-6fcq-pg8j-5j43

MINI-6wjf-wf2g-49v5

MINI-7jvv-v4mv-2g2j

MINI-7r8p-329c-5hmq

MINI-8prr-3qw6-3cpq

MINI-9j35-7vcm-4xjj

MINI-9vrc-4w94-33rf

MINI-c5c7-wr87-7w6h

MINI-chj3-cm8v-v883

MINI-cmwf-52x9-4mv4

MINI-cp9v-2929-r4wq

MINI-cqvr-xr89-cm65

MINI-f236-6g89-44mw

MINI-f6wq-2gh9-9qcx

MINI-g4gw-29xp-m36f

MINI-h7qf-7q77-h28q

MINI-hhr5-pcjr-24rr

MINI-j3c4-4454-g7mh

MINI-j4vq-pfqj-phh2

MINI-j839-3m2f-2f5w

MINI-j9m7-ff9x-qrxf

MINI-jwjr-7422-26pj

MINI-m333-v9x9-2gph

MINI-m34q-fh5j-4gjq

MINI-m9r5-j4v7-2cf6

MINI-mcpf-g3fh-9q4v

MINI-mfwv-6vv3-7392

MINI-mg3p-gpww-m9mq

MINI-mpgg-4fjv-g3p3

MINI-mprv-99xp-p276

MINI-p896-4x48-489q

MINI-pr34-5vwr-r2mf

MINI-q4fr-897p-8hg6

MINI-qjhp-6329-9chx

MINI-r6qp-rr4f-vjjw

MINI-rcj7-x9r3-xxc5

MINI-rx98-cj4m-fx4x

MINI-v4mr-545f-wmvw

MINI-v66f-xrgr-w3w8

MINI-v7hf-x5p2-462x

MINI-vfpw-gr34-x4w2

MINI-vpgf-4rc8-ph2m

MINI-vq5p-g6g3-f24g

MINI-vwjw-rpmv-f69h

MINI-wjfh-mvxh-9rw2

MINI-wpgh-6fc6-gq84

MINI-wrxv-fgx2-5mh2

MINI-x63r-q78x-pmxf

MINI-x6mf-352v-f664

MINI-xj7w-75vj-vfm5

MINI-xjfr-4w36-cvf5

MINI-xm3j-33vp-wg8r

MINI-xx6j-p5v3-j689

ROOT-APP-MAVEN-CVE-2026-42581

UBUNTU-CVE-2026-42581

openSUSE-SU-2026:10795-1

Related

Published

2026-05-13T17:54:44.492Z

Modified

2026-05-20T04:03:09.619256725Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

Details

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42581.json",
    "cwe_ids": [
        "CWE-444"
    ]
}

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type: GIT
Repo: https://github.com/netty/netty
Events: Introduced

5451fbb0effd8460f57013bb33aefeb953144ed9

Fixed

fb13125f135ab53203513ff603872a3abe84d38d

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42581.json"