PT-2026-38377 · Netty+3 · Netty+3

Published

2026-05-07

Updated

2026-06-16

CVE-2026-42585

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.13.Final Netty versions prior to 4.1.133.Final

Description Netty incorrectly parses malformed Transfer-Encoding headers, which can lead to request smuggling attacks. Specifically, the framework incorrectly marks a request as chunked when the header Transfer-Encoding: chunked, identity is present. This occurs because the server fails to respond with a 400 (Bad Request) status code and close the connection when chunked transfer coding is not the final encoding, as required by RFC 9112. This issue can be exploited when Netty is positioned behind a proxy that forwards requests containing this malformed header but prefers Content-Length, allowing an attacker to inject arbitrary HTTP requests inside a request body.

Recommendations Update to version 4.2.13.Final. Update to version 4.1.133.Final.

Exploit

Fix

DoS

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

CLEANSTART-2026-CP46043

CLEANSTART-2026-DD05788

CLEANSTART-2026-EG39405

CLEANSTART-2026-GX01236

CLEANSTART-2026-LE11246

CLEANSTART-2026-MX76059

CLEANSTART-2026-PM36304

CLEANSTART-2026-PO27799

CLEANSTART-2026-RN56220

CLEANSTART-2026-RU36468

CLEANSTART-2026-VJ37814

CVE-2026-42585

GHSA-38F8-5428-X5CV

OPENSUSE-SU-2026:10795-1

SUSE-SU-2026:2308-1

USN-8401-1

Affected Products

Confluence

Linuxmint

Netty

Ubuntu

PT-2026-38377 · Netty+3 · Netty+3

CVE-2026-42585

Weakness Enumeration

Related Identifiers

Affected Products

References · 404