CVE-2026-42584

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.13.Final Netty versions prior to 4.1.133.Final

Description In the HttpClientCodec, inbound responses are paired with outbound requests using queue.poll() once per response, including for 1xx responses. When HTTP/1.1 pipelining is used and a HEAD request is included in the pipeline, a server sending a 103 response followed by a 200 response with a GET body and another 200 for HEAD can cause the queue to incorrectly pair the HEAD request with the first 200 response. Because the HEAD rule skips reading the message body, the GET entity bytes remain on the stream, causing the subsequent 200 response to be parsed from an incorrect offset. This affects the integrity and availability of HTTP parsing on the connection and leads to unsafe socket reuse.

Recommendations Update to version 4.2.13.Final. Update to version 4.1.133.Final.