CVE-2026-42580
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing
6.5
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
How to fix CVE-2026-42580
To remediate CVE-2026-42580, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 4.2.13.Final or later
Is CVE-2026-42580 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- >= 4.2.0.Alpha1, < 4.2.13.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |