PT-2026-43441 · Maven · Io.Netty.Incubator:Netty-Incubator-Codec-Ohttp
Published
2026-05-26
·
Updated
2026-05-26
·
CVE-2026-41207
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
HKDF expand: returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key.
When EVP HPKE CTX export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key.
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Io.Netty.Incubator:Netty-Incubator-Codec-Ohttp