Maven · Io.Netty.Incubator:Netty-Incubator-Codec-Ohttp · CVE-2026-41207
**Name of the Vulnerable Software and Affected Versions**
netty incubator codec.bhttp versions prior to 0.0.21.Final
**Description**
The `HKDF expand()` function returns a non-NULL byte array filled with zeros upon failure, making it impossible to distinguish between a successful operation and a failure. This output serves as key material for the response AEAD (Authenticated Encryption with Associated Data), meaning a failure results in an all-zero key. Similarly, when `EVP HPKE CTX export` fails, it returns an empty byte array filled with zeros, which is passed to the `createResponseAEAD()` function in `OHttpCrypto`. This behavior allows for the creation of a deterministic and predictable AEAD key.
**Recommendations**
Update to version 0.0.21.Final.