Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs in Netty's HttpClientCodec when exchanging HTTP responses. The codec wrongly associates a response with a queued request, causing body data to be incorrectly streamed and potentially corrupted. An attacker that controls the responding server can send a sequence of responses that misalign the client’s expectation, leading the client to read from the wrong offset and either drop data or misinterpret subsequent responses, which may cause a denial of service or data loss. The flaw is formally classified as CWE‑444, indicating a protocol handling weakness.

Affected Systems

Affected products are Netty's core libraries, specifically the netty‑codec‑http module and the netty project itself. Versions prior to 4.2.13.Final for the 4.2 series and prior to 4.1.133.Final for the 4.1 series are vulnerable; upgrading to these patched releases removes the flaw.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. No EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no known widespread exploitation yet, but the flaw can be exploited by an attacker who controls the server communicating with a Netty client. The attack would likely involve sending a crafted sequence of HTTP responses to force the client into mis-synchronizing streams, potentially causing denial of service or incorrect data handling. As the flaw is in the client’s network codec, the remote target is a Netty-based application running on the client side.

Generated by OpenCVE AI on May 13, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.2.13.Final or later, or to 4.1.133.Final or later.
  • Verify that all modules or dependent projects using the netty codec are also using the patched versions, ensuring the same version parity in your build.
  • Rebuild and redeploy the application, making sure no older Netty artifacts remain on the runtime classpath.

Generated by OpenCVE AI on May 13, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-57rv-r2g8-2cj3 Netty has HttpClientCodec response desynchronization
History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 18 May 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Fri, 15 May 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Io.netty
Io.netty netty-codec-http
Netty
Netty netty
Vendors & Products Io.netty
Io.netty netty-codec-http
Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: HttpClientCodec response desynchronization
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Io.netty Netty-codec-http
Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:35:05.734Z

Reserved: 2026-04-28T17:26:12.086Z

Link: CVE-2026-42584

cve-icon Vulnrichment

Updated: 2026-05-13T18:34:51.803Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:24.043

Modified: 2026-05-18T12:15:02.740

Link: CVE-2026-42584

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T18:10:48Z

Links: CVE-2026-42584 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:04Z

Weaknesses