DEBIAN-CVE-2026-41417

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-41417

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41417.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-41417

Upstream

CVE-2026-41417

Published

2026-05-06T22:16:25.780Z

Modified

2026-05-07T11:00:19.043526Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri(). The constructors reject CRLF and whitespace characters that would break the start-line, but setUri() does not apply the same validation. HttpRequestEncoder and RtspEncoder then write the URI into the request line verbatim. If attacker-controlled input reaches setUri(), this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

References

https://security-tracker.debian.org/tracker/CVE-2026-41417

Affected packages

Debian:11 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4

1:4.1.48-4+deb11u1

1:4.1.48-4+deb11u2

1:4.1.48-4+deb11u3

1:4.1.48-5

1:4.1.48-6

1:4.1.48-7

1:4.1.48-8

1:4.1.48-9

1:4.1.48-10

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41417.json"

Debian:12 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7

1:4.1.48-7+deb12u1

1:4.1.48-7+deb12u2

1:4.1.48-8

1:4.1.48-9

1:4.1.48-10

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41417.json"

Debian:13 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

1:4.1.48-10+deb13u1

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41417.json"

Debian:14 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

1:4.1.48-11

1:4.1.48-12

1:4.1.48-13

1:4.1.48-14

1:4.1.48-15

1:4.1.48-16

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41417.json"