CVE-2026-48040

Name of the Vulnerable Software and Affected Versions netty incubator codec.bhttp versions prior to 0.0.22.Final

Description The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When sun.misc.Unsafe is unavailable—such as when the JVM is started with -Dio.netty.noUnsafe=true, when a SecurityManager restricts access, or on non-HotSpot JVMs—a fallback path is provided for direct ByteBufs that do not expose their memory address through hasMemoryAddress(). In these configurations, an unauthenticated network attacker can trigger cryptographic operations with crafted OHTTP requests to corrupt memory belonging to other concurrent connections and disclose the contents of adjacent pooled direct buffers. This occurs regardless of whether the AEAD (Authenticated Encryption with Associated Data) tag verification succeeds, as BoringSSL zeroizes the output buffer on failure. The information disclosure provides the encryption key required to extract the leaked data, compromising the confidentiality and integrity of all connections sharing the same Netty buffer arena.

Recommendations Update to version 0.0.22.Final.