PT-2026-28107 · Netty+1 · Netty+1

Xclow3N

·

Published

2026-03-25

·

Updated

2026-05-18

·

CVE-2026-33870

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.132.Final and 4.2.10.Final
Description Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Specifically, Netty terminates chunk header parsing at carriage return/newline characters within quoted strings instead of rejecting the request as malformed. This creates a parsing differential between Netty and RFC-compliant parsers. The root cause is that Netty does not validate that carriage return/line feed bytes are forbidden inside chunk extensions before the terminating carriage return/line feed. A request containing carriage return/line feed bytes within a chunk extension value should be rejected outright as invalid. This issue can lead to request smuggling, cache poisoning, access control bypass, and session hijacking.
Recommendations Update to Netty version 4.1.132.Final or 4.2.10.Final.

Exploit

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

CLEANSTART-2026-AV84730
CLEANSTART-2026-CF62516
CLEANSTART-2026-CQ39708
CLEANSTART-2026-DD05788
CLEANSTART-2026-DV49899
CLEANSTART-2026-DY69070
CLEANSTART-2026-EZ90321
CLEANSTART-2026-GN46454
CLEANSTART-2026-IE61882
CLEANSTART-2026-IS05941
CLEANSTART-2026-JU62349
CLEANSTART-2026-KB76878
CLEANSTART-2026-LE11246
CLEANSTART-2026-OQ84658
CLEANSTART-2026-PM36304
CLEANSTART-2026-RN56220
CLEANSTART-2026-SQ91016
CLEANSTART-2026-SR31778
CLEANSTART-2026-SV95049
CLEANSTART-2026-TK07726
CLEANSTART-2026-VH41554
CLEANSTART-2026-VJ37814
CLEANSTART-2026-VN28553
CLEANSTART-2026-WG59699
CLEANSTART-2026-WK99982
CVE-2026-33870
GHSA-PWQR-WMGM-9RR8
OPENSUSE-SU-2026:10463-1
SUSE-SU-2026:1353-1

Affected Products

Confluence
Netty