Netty: HttpClientCodec response desynchronization
Summary
| CVE | CVE-2026-42584 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-13 19:17:24 UTC |
| Updated | 2026-07-15 02:21:36 UTC |
| Description | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS: 0.000160000 probability, percentile 0.039460000 (date 2026-05-25)
Problem Types: CWE-444 | CWE-444 CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| 3.1 | ADP | CVSS | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | [email protected] | Secondary | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | CNA | DECLARED | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Netty | Netty | affected >= 4.2.0.Alpha1, < 4.2.13.Final | Not specified |
| CNA | Netty | Netty | affected < 4.1.133.Final | Not specified |
| CNA | Io.netty | Netty-codec-http | affected >= 4.2.0.Alpha1, < 4.2.13.Final | Not specified |
| CNA | Io.netty | Netty-codec-http | affected < 4.1.133.Final | Not specified |
| ADP | Red Hat | Cryostat 4 On RHEL 9 | unaffected 4.2.0-10 * rpm | Not specified |
| ADP | Red Hat | Cryostat 4 On RHEL 9 | unaffected 4.2.0-10 * rpm | Not specified |
| ADP | Red Hat | Cryostat 4 On RHEL 9 | unaffected 4.2.0-10 * rpm | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4.18.1.P1 For Spring Boot 3.5.16 | unaffected codec-http * rpm | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.27.4 | unaffected codec-http * rpm | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.33.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | unaffected 1780948325 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | unaffected 1780696380 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | unaffected 1780694994 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.29 | unaffected 1782989027 * rpm | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Clients | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4 For Quarkus 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Debezium 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of OptaPlanner 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat Process Automation 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 2 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 3 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-42584 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:23808 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37390 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:25123 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36820 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:28010 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24502 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-13T19:01:51.846Z | Reported to Red Hat. |
| ADP | 2026-05-13T18:10:48.437Z | Made public. |
Solutions
ADP: RHSA-2026:28010: Cryostat 4 on RHEL 9
ADP: RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28
ADP: RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29
ADP: RHSA-2026:37390: Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16
ADP: RHSA-2026:23808: Red Hat build of Quarkus 3.27.4
ADP: RHSA-2026:24502: Red Hat build of Quarkus 3.33.2