CVE-2026-42585
published 2026-05-13CVE-2026-42585: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed…
high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| candlepinproject | candlepin | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| io.netty | netty-codec-http | < 4.1.133.Final | 4.1.133.Final |
| io.netty | netty-codec-http | — | — |
| io.netty | netty-codec-http | — | — |
| netty | netty | < 4.1.133.Final | 4.1.133.Final |
| netty | netty | < 4.1.133 | 4.1.133 |
| netty | netty | — | — |
| netty | netty | >= 4.2.0 < 4.2.13 | 4.2.13 |
| openshift-serverless-1 | kn-ekb-dispatcher-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-receiver-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-ddb-streams-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sns-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-log-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-timer-source-rhel9 | — | — |
| rhbk-openshift-rhel9 | rhbk-openshift-rhel9 | — | — |
| rhbk-rhel9-operator | rhbk-rhel9-operator | — | — |
| rhbk | keycloak-rhel9 | — | — |