CVE-2026-42580

About vulnerability

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty’s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected product:

Apache CXF , Apache Kafka , Apache Log4j , Apache Lucene , Apache Spark , Eclipse Jetty , Netty , Spring , Wildfly , artemis , async-http-client , avro , azure-sdk-for-java , bolt-connection-java , camel , cassandra-java-driver , couchbase-jvm-clients , docker-java , elasticsearch , grpc-java , grpc-netty , infinispan , java-driver , lettuce , logging-flume , neo4j-java-driver , netty , olingo-odata4 , pulsar , rabbitmq-stream-java-client , rsocket-java , tika , vert.x , wildfly , zendesk-java-client , zookeeper

Affected packages:

wildfly-ejb-client-bom @ 27.0.1.Final (+6935 more)

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty’s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.