{
  "threat_severity" : "Important",
  "public_date" : "2026-05-13T17:54:44Z",
  "bugzilla" : {
    "description" : "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers",
    "id" : "2477232",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477232"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.", "A flaw was found in Netty's HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information." ],
  "statement" : "This is an Important flaw. Netty's HttpObjectDecoder, used across various Red Hat products, improperly handles conflicting `Transfer-Encoding: chunked` and `Content-Length` headers in HTTP/1.0 requests. This allows a remote attacker to perform HTTP request smuggling, potentially bypassing security controls or gaining unauthorized access to information due to misinterpretation of message boundaries by downstream proxies or handlers.",
  "affected_release" : [ {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-reports-rhel9:4.2.0-10"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-rhel9:4.2.0-10"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/jfr-datasource-rhel9:4.2.0-10"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.27.4",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:23808",
    "cpe" : "cpe:/a:redhat:quarkus:3.27::el8",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.33.2",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:24502",
    "cpe" : "cpe:/a:redhat:quarkus:3.33::el8"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25123",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/openvsx-rhel9:1780948325"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25123",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/pluginregistry-rhel9:1780696380"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25123",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/server-rhel9:1780694994"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat AMQ Clients",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_clients:2023"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk/keycloak-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk/keycloak-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk-rhel9-operator/rhbk-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "bazel6",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "bazel7",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "bazel8",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-modelmesh-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-modelmesh-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-spark-operator-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cpu-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cpu-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cuda130-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-trustyai-service-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-trustyai-service-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/multicluster-redirector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Under investigation",
    "package_name" : "candlepin",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Under investigation",
    "package_name" : "satellite:el8/candlepin",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42581\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42581\nhttps://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9" ],
  "name" : "CVE-2026-42581",
  "csaw" : false
}