GHSA-f659-372h-6x3x

Source

https://github.com/advisories/GHSA-f659-372h-6x3x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f659-372h-6x3x/GHSA-f659-372h-6x3x.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-f659-372h-6x3x

Aliases

CVE-2026-41207

Published

2026-05-26T23:08:26Z

Modified

2026-06-09T12:00:14.063894871Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures

Details

HKDF_expand: returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key.

When EVPHPKECTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key.

Database specific

{
    "github_reviewed_at": "2026-05-26T23:08:26Z",
    "nvd_published_at": "2026-06-04T18:16:30Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-330"
    ]
}

References

Affected packages

Maven / io.netty.incubator:netty-incubator-codec-ohttp

Package

Name: io.netty.incubator:netty-incubator-codec-ohttp; View open source insights on deps.dev
Purl: pkg:maven/io.netty.incubator/netty-incubator-codec-ohttp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.21.Final

Affected versions

0.*

0.0.1.Final

0.0.2.Final

0.0.3.Final

0.0.4.Final

0.0.5.Final

0.0.6.Final

0.0.7.Final

0.0.8.Final

0.0.9.Final

0.0.10.Final

0.0.11.Final

0.0.12.Final

0.0.13.Final

0.0.14.Final

0.0.15.Final

0.0.16.Final

0.0.17.Final

0.0.18.Final

0.0.19.Final

0.0.20.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f659-372h-6x3x/GHSA-f659-372h-6x3x.json"