Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s HttpObjectDecoder discards any ISO control character and whitespace before parsing the first request line. This behavior exceeds the specification from RFC 9112, which only requires ignoring empty CRLF lines. By swallowing non‑CRLF control bytes, the decoder can misalign the boundaries of pipelined or multiplexed HTTP connections, potentially causing a front‑end component that treats those bytes differently to misinterpret the request stream. The impact is a confusion of request boundaries, which can affect subsequent request handling.

Affected Systems

The Java networking library Netty is affected in all versions prior to 4.1.135.Final and 4.2.15.Final. Netty is widely used across many Java servers, frameworks, and microservices. Any application that depends on a vulnerable Netty build inherits the flaw.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a client or intermediary sending ISO control bytes or non-CRLF whitespace before the HTTP request line; the attacker would need to control the transport layer to insert those bytes. Because exploitation requires sending specially crafted control characters to a server that uses Netty, the overall risk remains moderate.

Generated by OpenCVE AI on June 12, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or later, or 4.2.15.Final or later, which patch the decoder behavior.
  • Apply network‑level filtering or firewall rules to reject packets that contain ISO control bytes or non‑CRLF whitespace before the HTTP request line.
  • If an immediate library upgrade is infeasible, add an application‑level filter that strips or sanitises control characters from the input stream before it reaches HttpObjectDecoder.

Generated by OpenCVE AI on June 12, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:56:43.051Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50020

cve-icon Vulnrichment

Updated: 2026-06-12T15:55:54.681Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:31.447

Modified: 2026-06-12T17:16:24.827

Link: CVE-2026-50020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:30:07Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')