Description
The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()`. This fallback occurs when `sun.misc.Unsafe` is unavailable to Netty — for example, when the JVM is started with `-Dio.netty.noUnsafe=true`, when a SecurityManager restricts Unsafe access, or when running on non-HotSpot JVMs. In these configurations, Netty's default `PooledByteBufAllocator` returns `PooledDirectByteBuf` instances for which `hasMemoryAddress()` returns false. Under the enabling JVM configuration, an unauthenticated network attacker can cause the OHTTP gateway to corrupt memory belonging to other concurrent connections and disclose the contents of adjacent pooled direct buffers by triggering cryptographic operations with crafted OHTTP requests. The corruption occurs regardless of whether the AEAD tag verification succeeds, as BoringSSL zeroizes the output buffer on failure. The information disclosure path provides the attacker with the encryption key needed to extract the leaked data. This violates the confidentiality and integrity of all connections sharing the same Netty buffer arena. Version 0.0.22.Final fixes the issue.
Published: 2026-06-04
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in Netty’s OHTTP codec, where an incorrect derivation of native memory addresses in the pooled direct ByteBuf fallback path allows an attacker to perform an out‑of‑bounds write in native memory. Exploitation can corrupt memory of other connections and reveal adjacent pooled buffer contents. The breach can lead to disclosure of encryption keys and compromise confidentiality and integrity of all traffic using the shared Netty buffer arena. The weakness maps to CWE‑125 (Out‑of‑Bounds Read) and CWE‑787 (Out‑of‑Bounds Write).

Affected Systems

Versions of netty‑incubator‑codec‑ohttp earlier than 0.0.22.Final contain the flaw. When Netty is run with Unsafe disabled (‑Dio.netty.noUnsafe=true), a SecurityManager blocking Unsafe, or on non‑HotSpot JVMs, the library falls back to a path that uses direct ByteBufs lacking a memory‑address expose. An unauthenticated network attacker can send crafted OHTTP requests to an OHTTP gateway to trigger the fallback and exploit the vulnerability.

Risk and Exploitability

The CVSS score of 6.8 indicates a medium‑severity condition. EPSS is not available, and the issue is not listed in CISA’s KEV catalog, but the out‑of‑bounds native memory write is a serious flaw that can be triggered without authentication in the described configurations. Because the exploit relies on executing native code via BoringSSL’s JNI interface, a successful attack requires the vulnerable library to be loaded and the unsafe path to be enabled. Attackers would gain access to encryption keys, potentially enabling full data compromise for all connections sharing the buffer arena.

Generated by OpenCVE AI on June 4, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade netty‑incubator‑codec‑ohttp to version 0.0.22.Final or later, where the native pointer derivation issue is fixed.
  • If updating is not immediately possible, ensure that the JVM does not disable Unsafe (remove ‑Dio.netty.noUnsafe=true) so that Netty does not use the vulnerable fallback path; alternatively, set a SecurityManager that allows Unsafe access.
  • Implement network traffic monitoring to detect anomalous OHTTP requests, and restrict OHTTP access to trusted IPs to limit exposure.

Generated by OpenCVE AI on June 4, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty-incubator-codec-ohttp
Vendors & Products Netty
Netty netty-incubator-codec-ohttp

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()`. This fallback occurs when `sun.misc.Unsafe` is unavailable to Netty — for example, when the JVM is started with `-Dio.netty.noUnsafe=true`, when a SecurityManager restricts Unsafe access, or when running on non-HotSpot JVMs. In these configurations, Netty's default `PooledByteBufAllocator` returns `PooledDirectByteBuf` instances for which `hasMemoryAddress()` returns false. Under the enabling JVM configuration, an unauthenticated network attacker can cause the OHTTP gateway to corrupt memory belonging to other concurrent connections and disclose the contents of adjacent pooled direct buffers by triggering cryptographic operations with crafted OHTTP requests. The corruption occurs regardless of whether the AEAD tag verification succeeds, as BoringSSL zeroizes the output buffer on failure. The information disclosure path provides the attacker with the encryption key needed to extract the leaked data. This violates the confidentiality and integrity of all connections sharing the same Netty buffer arena. Version 0.0.22.Final fixes the issue.
Title netty-incubator-codec-ohttp's Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access
Weaknesses CWE-125
CWE-787
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Netty Netty-incubator-codec-ohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T18:01:22.970Z

Reserved: 2026-05-20T18:15:53.578Z

Link: CVE-2026-48040

cve-icon Vulnrichment

Updated: 2026-06-04T18:01:18.863Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T18:16:31.220

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-48040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:00:14Z

Weaknesses