Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-42584 (GCVE-0-2026-42584)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:10 – Updated: 2026-07-10 12:06- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
| https://access.redhat.com/security/cve/CVE-2026-42584 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477224 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:28010 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25123 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:36820 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:37390 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:23808 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:24502 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| netty | netty |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
Affected: < 4.1.133.Final |
|
| io.netty | netty-codec-http |
Affected:
>= 4.2.0.Alpha1, < 4.2.13.Final
Affected: < 4.1.133.Final |
|
| Red Hat | Cryostat 4 on RHEL 9 |
cpe:/a:redhat:cryostat:4::el9 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.28 |
cpe:/a:redhat:openshift_devspaces:3.28::el9 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.29 |
cpe:/a:redhat:openshift_devspaces:3.29::el9 |
|
| Red Hat | Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16 |
cpe:/a:redhat:apache_camel_spring_boot:4.18 |
|
| Red Hat | Red Hat build of Quarkus 3.27.4 |
cpe:/a:redhat:quarkus:3.27::el8 |
|
| Red Hat | Red Hat build of Quarkus 3.33.2 |
cpe:/a:redhat:quarkus:3.33::el8 |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | Red Hat AMQ Broker 7 |
cpe:/a:redhat:amq_broker:7 |
|
| Red Hat | Red Hat AMQ Clients |
cpe:/a:redhat:amq_clients:2023 |
|
| Red Hat | Red Hat build of Apicurio Registry 2 |
cpe:/a:redhat:service_registry:2 |
|
| Red Hat | Red Hat build of Apicurio Registry 3 |
cpe:/a:redhat:apicurio_registry:3 |
|
| Red Hat | Red Hat build of Debezium 3 |
cpe:/a:redhat:debezium:3 |
|
| Red Hat | Red Hat Build of Keycloak |
cpe:/a:redhat:build_keycloak: |
|
| Red Hat | Red Hat build of OptaPlanner 8 |
cpe:/a:redhat:optaplanner:::el6 |
|
| Red Hat | Red Hat Data Grid 8 |
cpe:/a:redhat:jboss_data_grid:8 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat Fuse 7 |
cpe:/a:redhat:jboss_fuse:7 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform 7 |
cpe:/a:redhat:jboss_enterprise_application_platform:7 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 |
cpe:/a:redhat:jboss_enterprise_application_platform:8 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack |
cpe:/a:redhat:jbosseapxp |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat Process Automation 7 |
cpe:/a:redhat:jboss_enterprise_bpms_platform:7 |
|
| Red Hat | Red Hat Single Sign-On 7 |
cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Red Hat | streams for Apache Kafka 3 |
cpe:/a:redhat:amq_streams:3 |
|
| Red Hat | Red Hat build of Apache Camel 4 for Quarkus 3 |
cpe:/a:redhat:camel_quarkus:3 |
|
| Red Hat | Red Hat Satellite 6 |
cpe:/a:redhat:satellite:6 |
|
| Red Hat | streams for Apache Kafka 2 |
cpe:/a:redhat:amq_streams:2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42584",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:35:01.642953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:35:05.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:cryostat:4::el9"
],
"defaultStatus": "affected",
"product": "Cryostat 4 on RHEL 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.29::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.29",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apache_camel_spring_boot:4.18"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quarkus:3.27::el8"
],
"defaultStatus": "affected",
"product": "Red Hat build of Quarkus 3.27.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quarkus:3.33::el8"
],
"defaultStatus": "affected",
"product": "Red Hat build of Quarkus 3.33.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_clients:2023"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Clients",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apicurio_registry:3"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:debezium:3"
],
"defaultStatus": "affected",
"product": "Red Hat build of Debezium 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
],
"defaultStatus": "affected",
"product": "Red Hat build of OptaPlanner 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "affected",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"defaultStatus": "affected",
"product": "Red Hat Process Automation 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "affected",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:3"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:camel_quarkus:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Apache Camel 4 for Quarkus 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:2"
],
"defaultStatus": "unaffected",
"product": "streams for Apache Kafka 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-13T18:10:48.437Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T12:06:05.037Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42584"
},
{
"name": "RHBZ#2477224",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28010"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36820"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:37390"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28"
},
{
"lang": "en",
"value": "RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"
},
{
"lang": "en",
"value": "RHSA-2026:37390: Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16"
},
{
"lang": "en",
"value": "RHSA-2026:23808: Red Hat build of Quarkus 3.27.4"
},
{
"lang": "en",
"value": "RHSA-2026:24502: Red Hat build of Quarkus 3.33.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T19:01:51.846Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-13T18:10:48.437Z",
"value": "Made public."
}
],
"title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
},
{
"product": "netty-codec-http",
"vendor": "io.netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:10:48.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
}
],
"source": {
"advisory": "GHSA-57rv-r2g8-2cj3",
"discovery": "UNKNOWN"
},
"title": "Netty: HttpClientCodec response desynchronization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42584",
"datePublished": "2026-05-13T18:10:48.437Z",
"dateReserved": "2026-04-28T17:26:12.086Z",
"dateUpdated": "2026-07-10T12:06:05.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42584",
"date": "2026-07-12",
"epss": "0.0075",
"percentile": "0.50617"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42584\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T19:17:24.043\",\"lastModified\":\"2026-07-10T12:16:54.507\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"netty\",\"product\":\"netty\",\"versions\":[{\"version\":\"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\",\"status\":\"affected\"},{\"version\":\"\u003c 4.1.133.Final\",\"status\":\"affected\"}]},{\"vendor\":\"io.netty\",\"product\":\"netty-codec-http\",\"versions\":[{\"version\":\"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\",\"status\":\"affected\"},{\"version\":\"\u003c 4.1.133.Final\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4 on RHEL 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:cryostat:4::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces 3.28\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3.28::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces 3.29\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3.29::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:apache_camel_spring_boot:4.18\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Quarkus 3.27.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quarkus:3.27::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Quarkus 3.33.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quarkus:3.33::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Serverless\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:serverless:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat AMQ Broker 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:amq_broker:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat AMQ Clients\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:amq_clients:2023\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apicurio Registry 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_registry:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apicurio Registry 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:apicurio_registry:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Debezium 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:debezium:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Keycloak\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:build_keycloak:\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of OptaPlanner 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:optaplanner:::el6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Data Grid 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_data_grid:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Fuse 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_fuse:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_enterprise_application_platform:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_enterprise_application_platform:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform Expansion Pack\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jbosseapxp\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Process Automation 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_enterprise_bpms_platform:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Single Sign-On 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:red_hat_single_sign_on:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"streams for Apache Kafka 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:amq_streams:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apache Camel 4 for Quarkus 3\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:camel_quarkus:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Satellite 6\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:satellite:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"streams for Apache Kafka 2\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:amq_streams:2\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-05-13T18:35:01.642953Z\",\"id\":\"CVE-2026-42584\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.133\",\"matchCriteriaId\":\"DFE205A5-2C43-40C9-A2FF-CF6759B8D861\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.13\",\"matchCriteriaId\":\"D94A720F-9CED-4BE9-8C37-FD9E2FD28472\"}]}]}],\"references\":[{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23808\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24502\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25123\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:28010\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:36820\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:37390\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-42584\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2477224\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-09T15:30:07+00:00",
"cve": "CVE-2026-42584",
"id": "CVE-2026-42584",
"initial_release_date": "2026-05-13T18:10:48.437000+00:00",
"product_status:fixed": "25",
"product_status:known_affected": "34",
"product_status:known_not_affected": "140",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:cryostat:4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 4 on RHEL 9\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_devspaces:3.28::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Dev Spaces 3.28\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_devspaces:3.29::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Dev Spaces 3.29\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quarkus:3.27::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Quarkus 3.27.4\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quarkus:3.33::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Quarkus 3.33.2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:serverless:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Serverless\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_broker:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AMQ Broker 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_clients:2023\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AMQ Clients\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_spring_boot:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel for Spring Boot 4\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_registry:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apicurio Registry 2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:apicurio_registry:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apicurio Registry 3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:debezium:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Debezium 3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Keycloak\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:optaplanner:::el6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of OptaPlanner 8\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Data Grid 8\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_fuse:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Fuse 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 8\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jbosseapxp\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform Expansion Pack\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_bpms_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Process Automation 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:red_hat_single_sign_on:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Single Sign-On 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_streams:3\"], \"vendor\": \"Red Hat\", \"product\": \"streams for Apache Kafka 3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_quarkus:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel 4 for Quarkus 3\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_streams:2\"], \"vendor\": \"Red Hat\", \"product\": \"streams for Apache Kafka 2\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-13T19:01:51.846Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-05-13T18:10:48.437Z\", \"value\": \"Made public.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"RHSA-2026:28010: Cryostat 4 on RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:25123: Red Hat OpenShift Dev Spaces 3.28\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:23808: Red Hat build of Quarkus 3.27.4\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:24502: Red Hat build of Quarkus 3.33.2\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-05-13T18:10:48.437Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-42584\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2477224\", \"name\": \"RHBZ#2477224\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json\", \"tags\": [\"x_sadp-csaf-vex\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:28010\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:25123\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:36820\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:23808\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:24502\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-07-09T12:09:58.325Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42584\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T18:35:01.642953Z\"}}}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T18:34:51.803Z\"}}], \"cna\": {\"title\": \"Netty: HttpClientCodec response desynchronization\", \"source\": {\"advisory\": \"GHSA-57rv-r2g8-2cj3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"netty\", \"product\": \"netty\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.1.133.Final\"}]}, {\"vendor\": \"io.netty\", \"product\": \"netty-codec-http\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.1.133.Final\"}]}], \"references\": [{\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3\", \"name\": \"https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-13T18:10:48.437Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42584\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-09T12:09:58.325Z\", \"dateReserved\": \"2026-04-28T17:26:12.086Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-13T18:10:48.437Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cleanstart-2026-pm36304
Vulnerability from cleanstart
Multiple security vulnerabilities affect the opensearch package. These issues are resolved in later releases. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "opensearch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0-r4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the opensearch package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-PM36304",
"modified": "2026-05-13T11:05:53Z",
"published": "2026-05-18T13:15:42.274600Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-PM36304.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2c5c-chwr-9hqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38f8-5428-x5cv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6hv-jmp6-3vwv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m4cv-j2px-7723"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mj4r-2hfc-f8p6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwqr-wmgm-9rr8"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42585"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-33870, CVE-2026-41417, CVE-2026-42580, CVE-2026-42581, CVE-2026-42584, CVE-2026-42585, ghsa-2c5c-chwr-9hqw, ghsa-38f8-5428-x5cv, ghsa-72hv-8253-57qq, ghsa-f6hv-jmp6-3vwv, ghsa-m4cv-j2px-7723, ghsa-mj4r-2hfc-f8p6, ghsa-pwqr-wmgm-9rr8 applied in versions: 2.19.5-r0, 3.6.0-r4",
"upstream": [
"CVE-2026-33870",
"CVE-2026-41417",
"CVE-2026-42580",
"CVE-2026-42581",
"CVE-2026-42584",
"CVE-2026-42585",
"ghsa-2c5c-chwr-9hqw",
"ghsa-38f8-5428-x5cv",
"ghsa-72hv-8253-57qq",
"ghsa-f6hv-jmp6-3vwv",
"ghsa-m4cv-j2px-7723",
"ghsa-mj4r-2hfc-f8p6",
"ghsa-pwqr-wmgm-9rr8"
]
}
cleanstart-2026-po27799
Vulnerability from cleanstart
Multiple security vulnerabilities affect the keycloak package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "keycloak"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.7-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the keycloak package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-PO27799",
"modified": "2026-05-07T10:33:31Z",
"published": "2026-05-18T13:37:33.587383Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-PO27799.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-12158"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-12159"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59250"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42198"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42577"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5598"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38f8-5428-x5cv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p8m-j85q-pgmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-45p5-v273-3qqr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-45q3-82m4-75jr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4cx2-fc23-5wg6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-57rv-r2g8-2cj3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5rfx-cp42-p624"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-84h7-rjj3-6jx4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9342-92gg-6v29"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-98qh-xjc8-98pq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c3fc-8qff-9hwx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cbdj-484d-3x9q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cm33-6792-r9fm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fghv-69vj-qj49"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h5fg-jpgr-rv9c"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hq9p-pm7w-8p54"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j288-q9x7-2f5v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m4cv-j2px-7723"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mj4r-2hfc-f8p6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p93r-85wp-75v3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwqr-wmgm-9rr8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rc95-pcm8-65v9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rwm7-x88c-3g2p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v8h7-rr48-vmmv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w9fj-cfpg-grvv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wg6q-6289-32hp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xxqh-mfjm-7mv9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12158"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12159"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59250"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42198"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42577"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5598"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2017-12158, CVE-2017-12159, CVE-2025-59250, CVE-2026-41417, CVE-2026-42198, CVE-2026-42577, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-5588, CVE-2026-5598, ghsa-38f8-5428-x5cv, ghsa-3p8m-j85q-pgmj, ghsa-45p5-v273-3qqr, ghsa-45q3-82m4-75jr, ghsa-4cx2-fc23-5wg6, ghsa-57rv-r2g8-2cj3, ghsa-5rfx-cp42-p624, ghsa-72hv-8253-57qq, ghsa-84h7-rjj3-6jx4, ghsa-9342-92gg-6v29, ghsa-98qh-xjc8-98pq, ghsa-c3fc-8qff-9hwx, ghsa-cbdj-484d-3x9q, ghsa-cm33-6792-r9fm, ghsa-fghv-69vj-qj49, ghsa-h5fg-jpgr-rv9c, ghsa-hq9p-pm7w-8p54, ghsa-j288-q9x7-2f5v, ghsa-m4cv-j2px-7723, ghsa-mj4r-2hfc-f8p6, ghsa-p93r-85wp-75v3, ghsa-pwqr-wmgm-9rr8, ghsa-rc95-pcm8-65v9, ghsa-rwm7-x88c-3g2p, ghsa-v8h7-rr48-vmmv, ghsa-w9fj-cfpg-grvv, ghsa-wg6q-6289-32hp, ghsa-xxqh-mfjm-7mv9 applied in versions: 26.1.4-r1, 26.5.0-r2, 26.5.6-r3, 26.5.7-r0",
"upstream": [
"CVE-2017-12158",
"CVE-2017-12159",
"CVE-2025-59250",
"CVE-2026-41417",
"CVE-2026-42198",
"CVE-2026-42577",
"CVE-2026-42578",
"CVE-2026-42579",
"CVE-2026-42580",
"CVE-2026-42581",
"CVE-2026-42583",
"CVE-2026-42584",
"CVE-2026-42585",
"CVE-2026-42587",
"CVE-2026-5588",
"CVE-2026-5598",
"ghsa-38f8-5428-x5cv",
"ghsa-3p8m-j85q-pgmj",
"ghsa-45p5-v273-3qqr",
"ghsa-45q3-82m4-75jr",
"ghsa-4cx2-fc23-5wg6",
"ghsa-57rv-r2g8-2cj3",
"ghsa-5rfx-cp42-p624",
"ghsa-72hv-8253-57qq",
"ghsa-84h7-rjj3-6jx4",
"ghsa-9342-92gg-6v29",
"ghsa-98qh-xjc8-98pq",
"ghsa-c3fc-8qff-9hwx",
"ghsa-cbdj-484d-3x9q",
"ghsa-cm33-6792-r9fm",
"ghsa-fghv-69vj-qj49",
"ghsa-h5fg-jpgr-rv9c",
"ghsa-hq9p-pm7w-8p54",
"ghsa-j288-q9x7-2f5v",
"ghsa-m4cv-j2px-7723",
"ghsa-mj4r-2hfc-f8p6",
"ghsa-p93r-85wp-75v3",
"ghsa-pwqr-wmgm-9rr8",
"ghsa-rc95-pcm8-65v9",
"ghsa-rwm7-x88c-3g2p",
"ghsa-v8h7-rr48-vmmv",
"ghsa-w9fj-cfpg-grvv",
"ghsa-wg6q-6289-32hp",
"ghsa-xxqh-mfjm-7mv9"
]
}
cleanstart-2026-rn56220
Vulnerability from cleanstart
Multiple security vulnerabilities affect the stargate package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "stargate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.44-r6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the stargate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-RN56220",
"modified": "2026-05-12T18:00:20Z",
"published": "2026-05-18T13:26:54.415325Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-RN56220.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2015-3254"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-10237"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-11798"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-1320"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-20200"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-0205"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-8908"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-0341"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-41973"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-1471"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-24823"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3509"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3510"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-34462"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-46120"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-29025"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-40094"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-47535"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-11143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-25193"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-46392"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48734"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-53864"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-55163"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58056"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58057"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-67735"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1225"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-21452"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27315"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32588"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41635"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42586"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42778"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42779"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44248"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-269q-hmxg-m83q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-389x-839f-4rhx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38f8-5428-x5cv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3cqm-mf7h-prrj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p8m-j85q-pgmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-45q3-82m4-75jr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4gg5-vx3j-xwc7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-57rv-r2g8-2cj3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5jpm-x58v-624v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5mg8-w23w-74h3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6mjq-h674-j845"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-735f-pc8j-v9w8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7g45-4rm6-3mm3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8297-v2rf-2p32"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-84h7-rjj3-6jx4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-995c-6rp3-4m4x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cm33-6792-r9fm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cw39-r4h6-8j3x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f2wh-grmh-r6jm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6hv-jmp6-3vwv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fghv-69vj-qj49"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fh34-c629-p8xj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fx2c-96vj-985v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g5ww-5jh7-63cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h4h5-3hr4-j3g2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h9mq-f6q5-6c8m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j288-q9x7-2f5v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jfg9-48mv-9qgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jq43-27x9-3v86"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m4cv-j2px-7723"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mj4r-2hfc-f8p6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mjmj-j48q-9wg2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mm8h-8587-p46h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mvr2-9pj6-7w5j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-prj3-ccx8-p6x4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pvp8-3xj6-8c6x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwqr-wmgm-9rr8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffm-gf3j-6mvg"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qh8g-58pp-2wxh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qqpg-mvqg-649v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rgrr-p7gp-5xj7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rj7p-rfgp-852x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v8h7-rr48-vmmv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vf5j-865m-mq7c"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vx85-mj8c-4qm6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w33c-445m-f8w7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w9fj-cfpg-grvv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wjpw-4j6x-6rwh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wjxj-f8rg-99wx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wxr5-93ph-8wr9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xpw8-rcwv-8f8p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3w-v528-46rv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xwmg-2g98-w7v9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xxqh-mfjm-7mv9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1320"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20200"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0205"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0341"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41973"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46120"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40094"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25193"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46392"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53864"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67735"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1225"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21452"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27315"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32588"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41409"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41635"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42586"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42778"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42779"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44248"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2015-3254, CVE-2018-10237, CVE-2018-11798, CVE-2018-1320, CVE-2018-20200, CVE-2019-0205, CVE-2020-8908, CVE-2021-0341, CVE-2021-41973, CVE-2022-1471, CVE-2022-24823, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2022-41881, CVE-2023-2976, CVE-2023-34462, CVE-2023-44487, CVE-2023-46120, CVE-2024-13009, CVE-2024-29025, CVE-2024-40094, CVE-2024-47535, CVE-2024-6763, CVE-2024-7254, CVE-2025-11143, CVE-2025-25193, CVE-2025-46392, CVE-2025-48734, CVE-2025-48924, CVE-2025-53864, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419, CVE-2025-67735, CVE-2026-1225, CVE-2026-21452, CVE-2026-27315, CVE-2026-32588, CVE-2026-33870, CVE-2026-33871, CVE-2026-41409, CVE-2026-41417, CVE-2026-41635, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42586, CVE-2026-42587, CVE-2026-42778, CVE-2026-42779, CVE-2026-44248, ghsa-269q-hmxg-m83q, ghsa-389x-839f-4rhx, ghsa-38f8-5428-x5cv, ghsa-3cqm-mf7h-prrj, ghsa-3p8m-j85q-pgmj, ghsa-45q3-82m4-75jr, ghsa-4gg5-vx3j-xwc7, ghsa-57rv-r2g8-2cj3, ghsa-5jpm-x58v-624v, ghsa-5mg8-w23w-74h3, ghsa-6mjq-h674-j845, ghsa-72hv-8253-57qq, ghsa-735f-pc8j-v9w8, ghsa-7g45-4rm6-3mm3, ghsa-8297-v2rf-2p32, ghsa-84h7-rjj3-6jx4, ghsa-995c-6rp3-4m4x, ghsa-cm33-6792-r9fm, ghsa-cw39-r4h6-8j3x, ghsa-f2wh-grmh-r6jm, ghsa-f6hv-jmp6-3vwv, ghsa-fghv-69vj-qj49, ghsa-fh34-c629-p8xj, ghsa-fx2c-96vj-985v, ghsa-g5ww-5jh7-63cx, ghsa-h4h5-3hr4-j3g2, ghsa-h9mq-f6q5-6c8m, ghsa-j288-q9x7-2f5v, ghsa-jfg9-48mv-9qgx, ghsa-jq43-27x9-3v86, ghsa-m4cv-j2px-7723, ghsa-mj4r-2hfc-f8p6, ghsa-mjmj-j48q-9wg2, ghsa-mm8h-8587-p46h, ghsa-mvr2-9pj6-7w5j, ghsa-prj3-ccx8-p6x4, ghsa-pvp8-3xj6-8c6x, ghsa-pwqr-wmgm-9rr8, ghsa-qffm-gf3j-6mvg, ghsa-qh8g-58pp-2wxh, ghsa-qqpg-mvqg-649v, ghsa-rgrr-p7gp-5xj7, ghsa-rj7p-rfgp-852x, ghsa-v8h7-rr48-vmmv, ghsa-vf5j-865m-mq7c, ghsa-vx85-mj8c-4qm6, ghsa-w33c-445m-f8w7, ghsa-w9fj-cfpg-grvv, ghsa-wjpw-4j6x-6rwh, ghsa-wjxj-f8rg-99wx, ghsa-wxr5-93ph-8wr9, ghsa-xpw8-rcwv-8f8p, ghsa-xq3w-v528-46rv, ghsa-xwmg-2g98-w7v9, ghsa-xxqh-mfjm-7mv9 applied in versions: 2.0.44-r4, 2.0.44-r5, 2.0.44-r6",
"upstream": [
"CVE-2015-3254",
"CVE-2018-10237",
"CVE-2018-11798",
"CVE-2018-1320",
"CVE-2018-20200",
"CVE-2019-0205",
"CVE-2020-8908",
"CVE-2021-0341",
"CVE-2021-41973",
"CVE-2022-1471",
"CVE-2022-24823",
"CVE-2022-3171",
"CVE-2022-3509",
"CVE-2022-3510",
"CVE-2022-41881",
"CVE-2023-2976",
"CVE-2023-34462",
"CVE-2023-44487",
"CVE-2023-46120",
"CVE-2024-13009",
"CVE-2024-29025",
"CVE-2024-40094",
"CVE-2024-47535",
"CVE-2024-6763",
"CVE-2024-7254",
"CVE-2025-11143",
"CVE-2025-25193",
"CVE-2025-46392",
"CVE-2025-48734",
"CVE-2025-48924",
"CVE-2025-53864",
"CVE-2025-55163",
"CVE-2025-58056",
"CVE-2025-58057",
"CVE-2025-59419",
"CVE-2025-67735",
"CVE-2026-1225",
"CVE-2026-21452",
"CVE-2026-27315",
"CVE-2026-32588",
"CVE-2026-33870",
"CVE-2026-33871",
"CVE-2026-41409",
"CVE-2026-41417",
"CVE-2026-41635",
"CVE-2026-42578",
"CVE-2026-42579",
"CVE-2026-42580",
"CVE-2026-42581",
"CVE-2026-42583",
"CVE-2026-42584",
"CVE-2026-42585",
"CVE-2026-42586",
"CVE-2026-42587",
"CVE-2026-42778",
"CVE-2026-42779",
"CVE-2026-44248",
"ghsa-269q-hmxg-m83q",
"ghsa-389x-839f-4rhx",
"ghsa-38f8-5428-x5cv",
"ghsa-3cqm-mf7h-prrj",
"ghsa-3p8m-j85q-pgmj",
"ghsa-45q3-82m4-75jr",
"ghsa-4gg5-vx3j-xwc7",
"ghsa-57rv-r2g8-2cj3",
"ghsa-5jpm-x58v-624v",
"ghsa-5mg8-w23w-74h3",
"ghsa-6mjq-h674-j845",
"ghsa-72hv-8253-57qq",
"ghsa-735f-pc8j-v9w8",
"ghsa-7g45-4rm6-3mm3",
"ghsa-8297-v2rf-2p32",
"ghsa-84h7-rjj3-6jx4",
"ghsa-995c-6rp3-4m4x",
"ghsa-cm33-6792-r9fm",
"ghsa-cw39-r4h6-8j3x",
"ghsa-f2wh-grmh-r6jm",
"ghsa-f6hv-jmp6-3vwv",
"ghsa-fghv-69vj-qj49",
"ghsa-fh34-c629-p8xj",
"ghsa-fx2c-96vj-985v",
"ghsa-g5ww-5jh7-63cx",
"ghsa-h4h5-3hr4-j3g2",
"ghsa-h9mq-f6q5-6c8m",
"ghsa-j288-q9x7-2f5v",
"ghsa-jfg9-48mv-9qgx",
"ghsa-jq43-27x9-3v86",
"ghsa-m4cv-j2px-7723",
"ghsa-mj4r-2hfc-f8p6",
"ghsa-mjmj-j48q-9wg2",
"ghsa-mm8h-8587-p46h",
"ghsa-mvr2-9pj6-7w5j",
"ghsa-prj3-ccx8-p6x4",
"ghsa-pvp8-3xj6-8c6x",
"ghsa-pwqr-wmgm-9rr8",
"ghsa-qffm-gf3j-6mvg",
"ghsa-qh8g-58pp-2wxh",
"ghsa-qqpg-mvqg-649v",
"ghsa-rgrr-p7gp-5xj7",
"ghsa-rj7p-rfgp-852x",
"ghsa-v8h7-rr48-vmmv",
"ghsa-vf5j-865m-mq7c",
"ghsa-vx85-mj8c-4qm6",
"ghsa-w33c-445m-f8w7",
"ghsa-w9fj-cfpg-grvv",
"ghsa-wjpw-4j6x-6rwh",
"ghsa-wjxj-f8rg-99wx",
"ghsa-wxr5-93ph-8wr9",
"ghsa-xpw8-rcwv-8f8p",
"ghsa-xq3w-v528-46rv",
"ghsa-xwmg-2g98-w7v9",
"ghsa-xxqh-mfjm-7mv9"
]
}
cleanstart-2026-ru36468
Vulnerability from cleanstart
Multiple security vulnerabilities affect the wildfly package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "wildfly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "39.0.1-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the wildfly package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-RU36468",
"modified": "2026-06-04T05:30:36Z",
"published": "2026-06-08T14:00:50.454920Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-RU36468.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-0636"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-3260"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33558"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-3505"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35554"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42402"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42403"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42404"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5598"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-287c-fxr7-3w6c"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2hfh-9h53-qc24"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38f8-5428-x5cv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-45q3-82m4-75jr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-57rv-r2g8-2cj3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5qcv-4rpc-jp93"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c3fc-8qff-9hwx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cj8j-37rh-8475"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cm33-6792-r9fm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6hv-jmp6-3vwv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g36m-9g3m-2vmp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m4cv-j2px-7723"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mj4r-2hfc-f8p6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p93r-85wp-75v3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwqr-wmgm-9rr8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v8h7-rr48-vmmv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w9fj-cfpg-grvv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wf66-mphr-4c4r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wg6q-6289-32hp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xxqh-mfjm-7mv9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0636"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3260"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33558"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3505"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35554"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42402"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42403"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42404"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5598"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-0636, CVE-2026-3260, CVE-2026-33558, CVE-2026-33870, CVE-2026-33871, CVE-2026-3505, CVE-2026-35554, CVE-2026-41417, CVE-2026-42402, CVE-2026-42403, CVE-2026-42404, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-5588, CVE-2026-5598, ghsa-287c-fxr7-3w6c, ghsa-2hfh-9h53-qc24, ghsa-38f8-5428-x5cv, ghsa-45q3-82m4-75jr, ghsa-57rv-r2g8-2cj3, ghsa-5qcv-4rpc-jp93, ghsa-72hv-8253-57qq, ghsa-c3fc-8qff-9hwx, ghsa-cj8j-37rh-8475, ghsa-cm33-6792-r9fm, ghsa-f6hv-jmp6-3vwv, ghsa-g36m-9g3m-2vmp, ghsa-m4cv-j2px-7723, ghsa-mj4r-2hfc-f8p6, ghsa-p93r-85wp-75v3, ghsa-pwqr-wmgm-9rr8, ghsa-v8h7-rr48-vmmv, ghsa-w9fj-cfpg-grvv, ghsa-wf66-mphr-4c4r, ghsa-wg6q-6289-32hp, ghsa-xxqh-mfjm-7mv9 applied in versions: 39.0.1-r0",
"upstream": [
"CVE-2026-0636",
"CVE-2026-3260",
"CVE-2026-33558",
"CVE-2026-33870",
"CVE-2026-33871",
"CVE-2026-3505",
"CVE-2026-35554",
"CVE-2026-41417",
"CVE-2026-42402",
"CVE-2026-42403",
"CVE-2026-42404",
"CVE-2026-42578",
"CVE-2026-42579",
"CVE-2026-42580",
"CVE-2026-42581",
"CVE-2026-42583",
"CVE-2026-42584",
"CVE-2026-42585",
"CVE-2026-42587",
"CVE-2026-5588",
"CVE-2026-5598",
"ghsa-287c-fxr7-3w6c",
"ghsa-2hfh-9h53-qc24",
"ghsa-38f8-5428-x5cv",
"ghsa-45q3-82m4-75jr",
"ghsa-57rv-r2g8-2cj3",
"ghsa-5qcv-4rpc-jp93",
"ghsa-72hv-8253-57qq",
"ghsa-c3fc-8qff-9hwx",
"ghsa-cj8j-37rh-8475",
"ghsa-cm33-6792-r9fm",
"ghsa-f6hv-jmp6-3vwv",
"ghsa-g36m-9g3m-2vmp",
"ghsa-m4cv-j2px-7723",
"ghsa-mj4r-2hfc-f8p6",
"ghsa-p93r-85wp-75v3",
"ghsa-pwqr-wmgm-9rr8",
"ghsa-v8h7-rr48-vmmv",
"ghsa-w9fj-cfpg-grvv",
"ghsa-wf66-mphr-4c4r",
"ghsa-wg6q-6289-32hp",
"ghsa-xxqh-mfjm-7mv9"
]
}
cleanstart-2026-vj37814
Vulnerability from cleanstart
Multiple security vulnerabilities affect the keycloak package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "keycloak"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.4.11-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the keycloak package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-VJ37814",
"modified": "2026-05-07T10:32:20Z",
"published": "2026-05-18T13:37:33.552809Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-VJ37814.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59250"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1002"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39852"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42198"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42577"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5598"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38f8-5428-x5cv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p8m-j85q-pgmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-45p5-v273-3qqr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-45q3-82m4-75jr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4cx2-fc23-5wg6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-57rv-r2g8-2cj3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9342-92gg-6v29"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-98qh-xjc8-98pq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c3fc-8qff-9hwx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cm33-6792-r9fm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cphf-4846-3xx9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fghv-69vj-qj49"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h5fg-jpgr-rv9c"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hq9p-pm7w-8p54"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j288-q9x7-2f5v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m4cv-j2px-7723"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mj4r-2hfc-f8p6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p93r-85wp-75v3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwqr-wmgm-9rr8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rc95-pcm8-65v9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rwm7-x88c-3g2p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v8h7-rr48-vmmv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w9fj-cfpg-grvv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wg6q-6289-32hp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xxqh-mfjm-7mv9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59250"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39852"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42198"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42577"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42580"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42585"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5598"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-59250, CVE-2026-1002, CVE-2026-33870, CVE-2026-33871, CVE-2026-39852, CVE-2026-41417, CVE-2026-42198, CVE-2026-42577, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-5588, CVE-2026-5598, ghsa-38f8-5428-x5cv, ghsa-3p8m-j85q-pgmj, ghsa-45p5-v273-3qqr, ghsa-45q3-82m4-75jr, ghsa-4cx2-fc23-5wg6, ghsa-57rv-r2g8-2cj3, ghsa-9342-92gg-6v29, ghsa-98qh-xjc8-98pq, ghsa-c3fc-8qff-9hwx, ghsa-cm33-6792-r9fm, ghsa-cphf-4846-3xx9, ghsa-fghv-69vj-qj49, ghsa-h5fg-jpgr-rv9c, ghsa-hq9p-pm7w-8p54, ghsa-j288-q9x7-2f5v, ghsa-m4cv-j2px-7723, ghsa-mj4r-2hfc-f8p6, ghsa-p93r-85wp-75v3, ghsa-pwqr-wmgm-9rr8, ghsa-rc95-pcm8-65v9, ghsa-rwm7-x88c-3g2p, ghsa-v8h7-rr48-vmmv, ghsa-w9fj-cfpg-grvv, ghsa-wg6q-6289-32hp, ghsa-xxqh-mfjm-7mv9 applied in versions: 26.1.4-r1, 26.4.11-r0, 26.4.11-r2",
"upstream": [
"CVE-2025-59250",
"CVE-2026-1002",
"CVE-2026-33870",
"CVE-2026-33871",
"CVE-2026-39852",
"CVE-2026-41417",
"CVE-2026-42198",
"CVE-2026-42577",
"CVE-2026-42578",
"CVE-2026-42579",
"CVE-2026-42580",
"CVE-2026-42581",
"CVE-2026-42583",
"CVE-2026-42584",
"CVE-2026-42585",
"CVE-2026-42587",
"CVE-2026-5588",
"CVE-2026-5598",
"ghsa-38f8-5428-x5cv",
"ghsa-3p8m-j85q-pgmj",
"ghsa-45p5-v273-3qqr",
"ghsa-45q3-82m4-75jr",
"ghsa-4cx2-fc23-5wg6",
"ghsa-57rv-r2g8-2cj3",
"ghsa-9342-92gg-6v29",
"ghsa-98qh-xjc8-98pq",
"ghsa-c3fc-8qff-9hwx",
"ghsa-cm33-6792-r9fm",
"ghsa-cphf-4846-3xx9",
"ghsa-fghv-69vj-qj49",
"ghsa-h5fg-jpgr-rv9c",
"ghsa-hq9p-pm7w-8p54",
"ghsa-j288-q9x7-2f5v",
"ghsa-m4cv-j2px-7723",
"ghsa-mj4r-2hfc-f8p6",
"ghsa-p93r-85wp-75v3",
"ghsa-pwqr-wmgm-9rr8",
"ghsa-rc95-pcm8-65v9",
"ghsa-rwm7-x88c-3g2p",
"ghsa-v8h7-rr48-vmmv",
"ghsa-w9fj-cfpg-grvv",
"ghsa-wg6q-6289-32hp",
"ghsa-xxqh-mfjm-7mv9"
]
}
FKIE_CVE-2026-42584
Vulnerability from fkie_nvd - Published: 2026-05-13 19:17 - Updated: 2026-07-10 12:169.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3 | Exploit, Vendor Advisory | |
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:23808 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:24502 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:25123 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:28010 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:36820 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:37390 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/security/cve/CVE-2026-42584 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://bugzilla.redhat.com/show_bug.cgi?id=2477224 | ||
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3 | Exploit, Vendor Advisory | |
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json |
{
"affected": [
{
"affectedData": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
},
{
"product": "netty-codec-http",
"vendor": "io.netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.133.Final"
}
]
}
],
"source": "security-advisories@github.com"
},
{
"affectedData": [
{
"cpes": [
"cpe:/a:redhat:cryostat:4::el9"
],
"defaultStatus": "affected",
"product": "Cryostat 4 on RHEL 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.28::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.28",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.29::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.29",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apache_camel_spring_boot:4.18"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quarkus:3.27::el8"
],
"defaultStatus": "affected",
"product": "Red Hat build of Quarkus 3.27.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quarkus:3.33::el8"
],
"defaultStatus": "affected",
"product": "Red Hat build of Quarkus 3.33.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_clients:2023"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Clients",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apicurio_registry:3"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:debezium:3"
],
"defaultStatus": "affected",
"product": "Red Hat build of Debezium 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
],
"defaultStatus": "affected",
"product": "Red Hat build of OptaPlanner 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "affected",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"defaultStatus": "affected",
"product": "Red Hat Process Automation 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "affected",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:3"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:camel_quarkus:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Apache Camel 4 for Quarkus 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:2"
],
"defaultStatus": "unaffected",
"product": "streams for Apache Kafka 2",
"vendor": "Red Hat"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFE205A5-2C43-40C9-A2FF-CF6759B8D861",
"versionEndExcluding": "4.1.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D94A720F-9CED-4BE9-8C37-FD9E2FD28472",
"versionEndExcluding": "4.2.13",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
}
],
"id": "CVE-2026-42584",
"lastModified": "2026-07-10T12:16:54.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-42584",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:35:01.642953Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-05-13T19:17:24.043",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:25123"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:28010"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:36820"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:37390"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/security/cve/CVE-2026-42584"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42584.json"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
]
}
GHSA-57RV-R2G8-2CJ3
Vulnerability from github – Published: 2026-05-07 00:21 – Updated: 2026-05-14 20:41Summary
If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's.
Details
HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset.
Prerequisites - HTTP/1.1 pipelining - HEAD in the pipeline - The server sends 1xx
PoC
@Test
public void test() {
EmbeddedChannel channel = new EmbeddedChannel(new HttpClientCodec());
assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, "/1")));
ByteBuf request = channel.readOutbound();
request.release();
assertNull(channel.readOutbound());
assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.HEAD, "/2")));
request = channel.readOutbound();
request.release();
assertNull(channel.readOutbound());
String responseStr = "HTTP/1.1 103 Early Hints\r\n\r\n" +
"HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\nhello" +
"HTTP/1.1 200 OK\r\n\r\n";
assertTrue(channel.writeInbound(Unpooled.copiedBuffer(responseStr, CharsetUtil.US_ASCII)));
// Response 1
HttpResponse response = channel.readInbound();
assertEquals(HttpResponseStatus.EARLY_HINTS, response.status());
LastHttpContent last = channel.readInbound();
assertEquals(0, last.content().readableBytes());
last.release();
// Response 2
response = channel.readInbound();
assertEquals(HttpResponseStatus.OK, response.status());
last = channel.readInbound();
assertEquals(0, last.content().readableBytes());
last.release();
// Response 3
FullHttpResponse response1 = channel.readInbound();
assertTrue(response1.decoderResult().isFailure());
assertEquals(0, response1.content().readableBytes());
response1.release();
assertFalse(channel.finish());
}
Impact
Integrity/availability of HTTP parsing on that connection, unsafe reuse of the socket.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.12.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.13.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.132.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.133.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42584"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:21:48Z",
"nvd_published_at": "2026-05-13T19:17:24Z",
"severity": "HIGH"
},
"details": "### Summary\n If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another\u0027s.\n\n### Details\nHttpClientCodec pairs each inbound response with an outbound request by `queue.poll()` once per response, including for `1xx`. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset.\n\nPrerequisites \n- HTTP/1.1 pipelining\n- HEAD in the pipeline\n- The server sends 1xx\n\n### PoC\n\n```java\n @Test\n public void test() {\n EmbeddedChannel channel = new EmbeddedChannel(new HttpClientCodec());\n\n assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.GET, \"/1\")));\n ByteBuf request = channel.readOutbound();\n request.release();\n assertNull(channel.readOutbound());\n\n assertTrue(channel.writeOutbound(new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.HEAD, \"/2\")));\n request = channel.readOutbound();\n request.release();\n assertNull(channel.readOutbound());\n\n String responseStr = \"HTTP/1.1 103 Early Hints\\r\\n\\r\\n\" +\n \"HTTP/1.1 200 OK\\r\\nContent-Length: 5\\r\\n\\r\\nhello\" +\n \"HTTP/1.1 200 OK\\r\\n\\r\\n\";\n assertTrue(channel.writeInbound(Unpooled.copiedBuffer(responseStr, CharsetUtil.US_ASCII)));\n\n // Response 1\n HttpResponse response = channel.readInbound();\n assertEquals(HttpResponseStatus.EARLY_HINTS, response.status());\n LastHttpContent last = channel.readInbound();\n assertEquals(0, last.content().readableBytes());\n last.release();\n\n // Response 2\n response = channel.readInbound();\n assertEquals(HttpResponseStatus.OK, response.status());\n last = channel.readInbound();\n assertEquals(0, last.content().readableBytes());\n last.release();\n\n // Response 3\n FullHttpResponse response1 = channel.readInbound();\n assertTrue(response1.decoderResult().isFailure());\n assertEquals(0, response1.content().readableBytes());\n response1.release();\n\n assertFalse(channel.finish());\n }\n```\n\n### Impact\nIntegrity/availability of HTTP parsing on that connection, unsafe reuse of the socket.",
"id": "GHSA-57rv-r2g8-2cj3",
"modified": "2026-05-14T20:41:17Z",
"published": "2026-05-07T00:21:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Netty has HttpClientCodec response desynchronization"
}
OPENSUSE-SU-2026:10795-1
Vulnerability from csaf_opensuse - Published: 2026-05-16 00:00 - Updated: 2026-05-16 00:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64 | — |
Vendor Fix
|
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2026-41417/ | self |
| https://www.suse.com/security/cve/CVE-2026-42578/ | self |
| https://www.suse.com/security/cve/CVE-2026-42579/ | self |
| https://www.suse.com/security/cve/CVE-2026-42580/ | self |
| https://www.suse.com/security/cve/CVE-2026-42581/ | self |
| https://www.suse.com/security/cve/CVE-2026-42582/ | self |
| https://www.suse.com/security/cve/CVE-2026-42583/ | self |
| https://www.suse.com/security/cve/CVE-2026-42584/ | self |
| https://www.suse.com/security/cve/CVE-2026-42585/ | self |
| https://www.suse.com/security/cve/CVE-2026-42586/ | self |
| https://www.suse.com/security/cve/CVE-2026-42587/ | self |
| https://www.suse.com/security/cve/CVE-2026-44248/ | self |
| https://www.suse.com/security/cve/CVE-2026-41417 | external |
| https://bugzilla.suse.com/1264350 | external |
| https://www.suse.com/security/cve/CVE-2026-42578 | external |
| https://bugzilla.suse.com/1265243 | external |
| https://www.suse.com/security/cve/CVE-2026-42579 | external |
| https://bugzilla.suse.com/1265272 | external |
| https://www.suse.com/security/cve/CVE-2026-42580 | external |
| https://bugzilla.suse.com/1265273 | external |
| https://www.suse.com/security/cve/CVE-2026-42581 | external |
| https://bugzilla.suse.com/1265277 | external |
| https://www.suse.com/security/cve/CVE-2026-42582 | external |
| https://bugzilla.suse.com/1265318 | external |
| https://www.suse.com/security/cve/CVE-2026-42583 | external |
| https://bugzilla.suse.com/1265279 | external |
| https://www.suse.com/security/cve/CVE-2026-42584 | external |
| https://bugzilla.suse.com/1265280 | external |
| https://www.suse.com/security/cve/CVE-2026-42585 | external |
| https://bugzilla.suse.com/1265291 | external |
| https://www.suse.com/security/cve/CVE-2026-42586 | external |
| https://bugzilla.suse.com/1265245 | external |
| https://www.suse.com/security/cve/CVE-2026-42587 | external |
| https://bugzilla.suse.com/1265246 | external |
| https://www.suse.com/security/cve/CVE-2026-44248 | external |
| https://bugzilla.suse.com/1265293 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "netty-4.1.133-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the netty-4.1.133-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10795",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10795-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41417 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41417/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42578 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42579 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42580 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42581 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42581/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42582 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42582/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42583 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42583/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42584 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42584/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42585 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42585/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42586 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42586/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42587 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42587/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44248 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44248/"
}
],
"title": "netty-4.1.133-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-16T00:00:00Z",
"generator": {
"date": "2026-05-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10795-1",
"initial_release_date": "2026-05-16T00:00:00Z",
"revision_history": [
{
"date": "2026-05-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.aarch64",
"product": {
"name": "netty-4.1.133-1.1.aarch64",
"product_id": "netty-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.aarch64",
"product": {
"name": "netty-bom-4.1.133-1.1.aarch64",
"product_id": "netty-bom-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.aarch64",
"product": {
"name": "netty-javadoc-4.1.133-1.1.aarch64",
"product_id": "netty-javadoc-4.1.133-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.aarch64",
"product": {
"name": "netty-parent-4.1.133-1.1.aarch64",
"product_id": "netty-parent-4.1.133-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-4.1.133-1.1.ppc64le",
"product_id": "netty-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-bom-4.1.133-1.1.ppc64le",
"product_id": "netty-bom-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-javadoc-4.1.133-1.1.ppc64le",
"product_id": "netty-javadoc-4.1.133-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.ppc64le",
"product": {
"name": "netty-parent-4.1.133-1.1.ppc64le",
"product_id": "netty-parent-4.1.133-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.s390x",
"product": {
"name": "netty-4.1.133-1.1.s390x",
"product_id": "netty-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.s390x",
"product": {
"name": "netty-bom-4.1.133-1.1.s390x",
"product_id": "netty-bom-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.s390x",
"product": {
"name": "netty-javadoc-4.1.133-1.1.s390x",
"product_id": "netty-javadoc-4.1.133-1.1.s390x"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.s390x",
"product": {
"name": "netty-parent-4.1.133-1.1.s390x",
"product_id": "netty-parent-4.1.133-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "netty-4.1.133-1.1.x86_64",
"product": {
"name": "netty-4.1.133-1.1.x86_64",
"product_id": "netty-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-bom-4.1.133-1.1.x86_64",
"product": {
"name": "netty-bom-4.1.133-1.1.x86_64",
"product_id": "netty-bom-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-javadoc-4.1.133-1.1.x86_64",
"product": {
"name": "netty-javadoc-4.1.133-1.1.x86_64",
"product_id": "netty-javadoc-4.1.133-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "netty-parent-4.1.133-1.1.x86_64",
"product": {
"name": "netty-parent-4.1.133-1.1.x86_64",
"product_id": "netty-parent-4.1.133-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64"
},
"product_reference": "netty-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.s390x"
},
"product_reference": "netty-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64"
},
"product_reference": "netty-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64"
},
"product_reference": "netty-bom-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-bom-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x"
},
"product_reference": "netty-bom-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-bom-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64"
},
"product_reference": "netty-bom-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64"
},
"product_reference": "netty-javadoc-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-javadoc-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x"
},
"product_reference": "netty-javadoc-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-javadoc-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64"
},
"product_reference": "netty-javadoc-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64"
},
"product_reference": "netty-parent-4.1.133-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le"
},
"product_reference": "netty-parent-4.1.133-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x"
},
"product_reference": "netty-parent-4.1.133-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "netty-parent-4.1.133-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
},
"product_reference": "netty-parent-4.1.133-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41417",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41417"
}
],
"notes": [
{
"category": "general",
"text": "Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41417",
"url": "https://www.suse.com/security/cve/CVE-2026-41417"
},
{
"category": "external",
"summary": "SUSE Bug 1264350 for CVE-2026-41417",
"url": "https://bugzilla.suse.com/1264350"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-41417"
},
{
"cve": "CVE-2026-42578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42578"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42578",
"url": "https://www.suse.com/security/cve/CVE-2026-42578"
},
{
"category": "external",
"summary": "SUSE Bug 1265243 for CVE-2026-42578",
"url": "https://bugzilla.suse.com/1265243"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42578"
},
{
"cve": "CVE-2026-42579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42579"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42579",
"url": "https://www.suse.com/security/cve/CVE-2026-42579"
},
{
"category": "external",
"summary": "SUSE Bug 1265272 for CVE-2026-42579",
"url": "https://bugzilla.suse.com/1265272"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42579"
},
{
"cve": "CVE-2026-42580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42580"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42580",
"url": "https://www.suse.com/security/cve/CVE-2026-42580"
},
{
"category": "external",
"summary": "SUSE Bug 1265273 for CVE-2026-42580",
"url": "https://bugzilla.suse.com/1265273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42580"
},
{
"cve": "CVE-2026-42581",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42581"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42581",
"url": "https://www.suse.com/security/cve/CVE-2026-42581"
},
{
"category": "external",
"summary": "SUSE Bug 1265277 for CVE-2026-42581",
"url": "https://bugzilla.suse.com/1265277"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42581"
},
{
"cve": "CVE-2026-42582",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42582"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42582",
"url": "https://www.suse.com/security/cve/CVE-2026-42582"
},
{
"category": "external",
"summary": "SUSE Bug 1265318 for CVE-2026-42582",
"url": "https://bugzilla.suse.com/1265318"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42582"
},
{
"cve": "CVE-2026-42583",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42583"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42583",
"url": "https://www.suse.com/security/cve/CVE-2026-42583"
},
{
"category": "external",
"summary": "SUSE Bug 1265279 for CVE-2026-42583",
"url": "https://bugzilla.suse.com/1265279"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42583"
},
{
"cve": "CVE-2026-42584",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42584"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u0027s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42584",
"url": "https://www.suse.com/security/cve/CVE-2026-42584"
},
{
"category": "external",
"summary": "SUSE Bug 1265280 for CVE-2026-42584",
"url": "https://bugzilla.suse.com/1265280"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42584"
},
{
"cve": "CVE-2026-42585",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42585"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42585",
"url": "https://www.suse.com/security/cve/CVE-2026-42585"
},
{
"category": "external",
"summary": "SUSE Bug 1265291 for CVE-2026-42585",
"url": "https://bugzilla.suse.com/1265291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42585"
},
{
"cve": "CVE-2026-42586",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42586"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\\r\\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42586",
"url": "https://www.suse.com/security/cve/CVE-2026-42586"
},
{
"category": "external",
"summary": "SUSE Bug 1265245 for CVE-2026-42586",
"url": "https://bugzilla.suse.com/1265245"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42586"
},
{
"cve": "CVE-2026-42587",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42587"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42587",
"url": "https://www.suse.com/security/cve/CVE-2026-42587"
},
{
"category": "external",
"summary": "SUSE Bug 1265246 for CVE-2026-42587",
"url": "https://bugzilla.suse.com/1265246"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42587"
},
{
"cve": "CVE-2026-44248",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44248"
}
],
"notes": [
{
"category": "general",
"text": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader \u003e maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44248",
"url": "https://www.suse.com/security/cve/CVE-2026-44248"
},
{
"category": "external",
"summary": "SUSE Bug 1265293 for CVE-2026-44248",
"url": "https://bugzilla.suse.com/1265293"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:netty-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-bom-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-javadoc-4.1.133-1.1.x86_64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.aarch64",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.ppc64le",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.s390x",
"openSUSE Tumbleweed:netty-parent-4.1.133-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-44248"
}
]
}
RHSA-2026:23808
Vulnerability from csaf_redhat - Published: 2026-06-10 12:05 - Updated: 2026-07-09 15:32A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.27.4
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.27::el8
|
— |
Vendor Fix
fix
|
A flaw was found in Netty. Netty's DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.27.4
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.27::el8
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in Netty's HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.27.4
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.27::el8
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.27.4
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.27::el8
|
— |
Vendor Fix
fix
|
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.27.4
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.27::el8
|
— |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:23808 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/products/quarkus/ | external |
| https://access.redhat.com/jbossnetwork/restricted… | external |
| https://docs.redhat.com/en/documentation/red_hat_… | external |
| https://issues.redhat.com/browse/QUARKUS-6793 | external |
| https://issues.redhat.com/browse/QUARKUS-7610 | external |
| https://issues.redhat.com/browse/QUARKUS-7615 | external |
| https://issues.redhat.com/browse/QUARKUS-7616 | external |
| https://issues.redhat.com/browse/QUARKUS-7617 | external |
| https://issues.redhat.com/browse/QUARKUS-7618 | external |
| https://issues.redhat.com/browse/QUARKUS-7619 | external |
| https://issues.redhat.com/browse/QUARKUS-7620 | external |
| https://issues.redhat.com/browse/QUARKUS-7621 | external |
| https://issues.redhat.com/browse/QUARKUS-7622 | external |
| https://issues.redhat.com/browse/QUARKUS-7623 | external |
| https://issues.redhat.com/browse/QUARKUS-7624 | external |
| https://issues.redhat.com/browse/QUARKUS-7625 | external |
| https://issues.redhat.com/browse/QUARKUS-7626 | external |
| https://issues.redhat.com/browse/QUARKUS-7627 | external |
| https://issues.redhat.com/browse/QUARKUS-7628 | external |
| https://issues.redhat.com/browse/QUARKUS-7630 | external |
| https://issues.redhat.com/browse/QUARKUS-7631 | external |
| https://issues.redhat.com/browse/QUARKUS-7632 | external |
| https://issues.redhat.com/browse/QUARKUS-7633 | external |
| https://issues.redhat.com/browse/QUARKUS-7664 | external |
| https://issues.redhat.com/browse/QUARKUS-7774 | external |
| https://issues.redhat.com/browse/QUARKUS-7775 | external |
| https://issues.redhat.com/browse/QUARKUS-7776 | external |
| https://issues.redhat.com/browse/QUARKUS-7777 | external |
| https://issues.redhat.com/browse/QUARKUS-7778 | external |
| https://issues.redhat.com/browse/QUARKUS-7779 | external |
| https://issues.redhat.com/browse/QUARKUS-7780 | external |
| https://issues.redhat.com/browse/QUARKUS-7781 | external |
| https://issues.redhat.com/browse/QUARKUS-7812 | external |
| https://issues.redhat.com/browse/QUARKUS-7813 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-42578 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477226 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42578 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42578 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42579 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477217 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42579 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42579 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42581 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477232 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42581 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42581 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42584 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477224 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42584 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42584 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42587 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477220 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42587 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42587 | external |
| https://github.com/netty/netty/security/advisorie… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.27.4 includes the following CVE fixes:\n\n* netty-codec-dns: Netty: High integrity impact due to improper DNS domain name constraint enforcement [quarkus-3.27] (CVE-2026-42579)\n\n* netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion [quarkus-3.27] (CVE-2026-42584)\n\n* netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers [quarkus-3.27] (CVE-2026-42581)\n\n* netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation [quarkus-3.27] (CVE-2026-42578)\n\n* netty-codec-http: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression [quarkus-3.27] (CVE-2026-42587)\n\n* netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression [quarkus-3.27] (CVE-2026-42587)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:23808",
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.4"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27"
},
{
"category": "external",
"summary": "QUARKUS-6793",
"url": "https://issues.redhat.com/browse/QUARKUS-6793"
},
{
"category": "external",
"summary": "QUARKUS-7610",
"url": "https://issues.redhat.com/browse/QUARKUS-7610"
},
{
"category": "external",
"summary": "QUARKUS-7615",
"url": "https://issues.redhat.com/browse/QUARKUS-7615"
},
{
"category": "external",
"summary": "QUARKUS-7616",
"url": "https://issues.redhat.com/browse/QUARKUS-7616"
},
{
"category": "external",
"summary": "QUARKUS-7617",
"url": "https://issues.redhat.com/browse/QUARKUS-7617"
},
{
"category": "external",
"summary": "QUARKUS-7618",
"url": "https://issues.redhat.com/browse/QUARKUS-7618"
},
{
"category": "external",
"summary": "QUARKUS-7619",
"url": "https://issues.redhat.com/browse/QUARKUS-7619"
},
{
"category": "external",
"summary": "QUARKUS-7620",
"url": "https://issues.redhat.com/browse/QUARKUS-7620"
},
{
"category": "external",
"summary": "QUARKUS-7621",
"url": "https://issues.redhat.com/browse/QUARKUS-7621"
},
{
"category": "external",
"summary": "QUARKUS-7622",
"url": "https://issues.redhat.com/browse/QUARKUS-7622"
},
{
"category": "external",
"summary": "QUARKUS-7623",
"url": "https://issues.redhat.com/browse/QUARKUS-7623"
},
{
"category": "external",
"summary": "QUARKUS-7624",
"url": "https://issues.redhat.com/browse/QUARKUS-7624"
},
{
"category": "external",
"summary": "QUARKUS-7625",
"url": "https://issues.redhat.com/browse/QUARKUS-7625"
},
{
"category": "external",
"summary": "QUARKUS-7626",
"url": "https://issues.redhat.com/browse/QUARKUS-7626"
},
{
"category": "external",
"summary": "QUARKUS-7627",
"url": "https://issues.redhat.com/browse/QUARKUS-7627"
},
{
"category": "external",
"summary": "QUARKUS-7628",
"url": "https://issues.redhat.com/browse/QUARKUS-7628"
},
{
"category": "external",
"summary": "QUARKUS-7630",
"url": "https://issues.redhat.com/browse/QUARKUS-7630"
},
{
"category": "external",
"summary": "QUARKUS-7631",
"url": "https://issues.redhat.com/browse/QUARKUS-7631"
},
{
"category": "external",
"summary": "QUARKUS-7632",
"url": "https://issues.redhat.com/browse/QUARKUS-7632"
},
{
"category": "external",
"summary": "QUARKUS-7633",
"url": "https://issues.redhat.com/browse/QUARKUS-7633"
},
{
"category": "external",
"summary": "QUARKUS-7664",
"url": "https://issues.redhat.com/browse/QUARKUS-7664"
},
{
"category": "external",
"summary": "QUARKUS-7774",
"url": "https://issues.redhat.com/browse/QUARKUS-7774"
},
{
"category": "external",
"summary": "QUARKUS-7775",
"url": "https://issues.redhat.com/browse/QUARKUS-7775"
},
{
"category": "external",
"summary": "QUARKUS-7776",
"url": "https://issues.redhat.com/browse/QUARKUS-7776"
},
{
"category": "external",
"summary": "QUARKUS-7777",
"url": "https://issues.redhat.com/browse/QUARKUS-7777"
},
{
"category": "external",
"summary": "QUARKUS-7778",
"url": "https://issues.redhat.com/browse/QUARKUS-7778"
},
{
"category": "external",
"summary": "QUARKUS-7779",
"url": "https://issues.redhat.com/browse/QUARKUS-7779"
},
{
"category": "external",
"summary": "QUARKUS-7780",
"url": "https://issues.redhat.com/browse/QUARKUS-7780"
},
{
"category": "external",
"summary": "QUARKUS-7781",
"url": "https://issues.redhat.com/browse/QUARKUS-7781"
},
{
"category": "external",
"summary": "QUARKUS-7812",
"url": "https://issues.redhat.com/browse/QUARKUS-7812"
},
{
"category": "external",
"summary": "QUARKUS-7813",
"url": "https://issues.redhat.com/browse/QUARKUS-7813"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_23808.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.27.4 release and security update",
"tracking": {
"current_release_date": "2026-07-09T15:32:14+00:00",
"generator": {
"date": "2026-07-09T15:32:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:23808",
"initial_release_date": "2026-06-10T12:05:35+00:00",
"revision_history": [
{
"date": "2026-06-10T12:05:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-10T12:05:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T15:32:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.27.4",
"product": {
"name": "Red Hat build of Quarkus 3.27.4",
"product_id": "Red Hat build of Quarkus 3.27.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.27::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42578",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-05-13T19:02:00.826936+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42578"
},
{
"category": "external",
"summary": "RHBZ#2477226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42578",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42578"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr",
"url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
}
],
"release_date": "2026-05-13T17:57:43.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:05:35+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation"
},
{
"cve": "CVE-2026-42579",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-05-13T19:01:25.062732+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477217"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. Netty\u0027s DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important integrity flaw in Netty\u0027s DNS codec. The vulnerability arises from insufficient enforcement of RFC 1035 domain name constraints during both encoding and decoding, allowing remote attackers to manipulate DNS responses or user-controlled hostnames. This could lead to a high integrity impact on affected Red Hat products that utilize the vulnerable Netty DNS codec.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42579"
},
{
"category": "external",
"summary": "RHBZ#2477217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42579",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42579"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm",
"url": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm"
}
],
"release_date": "2026-05-13T18:01:52.500000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:05:35+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement"
},
{
"cve": "CVE-2026-42581",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-05-13T19:02:26.404511+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477232"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw. Netty\u0027s HttpObjectDecoder, used across various Red Hat products, improperly handles conflicting `Transfer-Encoding: chunked` and `Content-Length` headers in HTTP/1.0 requests. This allows a remote attacker to perform HTTP request smuggling, potentially bypassing security controls or gaining unauthorized access to information due to misinterpretation of message boundaries by downstream proxies or handlers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42581"
},
{
"category": "external",
"summary": "RHBZ#2477232",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477232"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42581",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42581"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9",
"url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9"
}
],
"release_date": "2026-05-13T17:54:44.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:05:35+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure any reverse proxies or load balancers in front of Netty to either reject HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers, or to explicitly prioritize the Transfer-Encoding header over Content-Length for HTTP/1.0 traffic. This ensures consistent interpretation of message boundaries and prevents request smuggling attacks.",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers"
},
{
"cve": "CVE-2026-42584",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-05-13T19:01:51.846351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477224"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in Netty\u0027s HttpClientCodec allows a remote attacker to cause data confusion. By sending a specially crafted sequence of HTTP responses, an attacker can cause subsequent HTTP responses to be parsed incorrectly, potentially leading to information disclosure or data integrity issues in applications utilizing Netty for HTTP client operations. This vulnerability affects various Red Hat products that bundle Netty, including Red Hat AMQ, Enterprise Application Platform, Red Hat Build of Quarkus, and Red Hat Build of Keycloak.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42584"
},
{
"category": "external",
"summary": "RHBZ#2477224",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42584",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42584"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
}
],
"release_date": "2026-05-13T18:10:48.437000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:05:35+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion"
},
{
"cve": "CVE-2026-42587",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-13T19:01:35.415881+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477220"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Netty\u0027s HTTP content decompression. A remote attacker can exploit this flaw by sending specially crafted compressed payloads using Brotli, Zstandard, or Snappy encodings, bypassing configured decompression limits. This leads to unbounded memory allocation, potentially causing an out-of-memory condition and rendering affected Red Hat systems unavailable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42587"
},
{
"category": "external",
"summary": "RHBZ#2477220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42587",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42587"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
}
],
"release_date": "2026-05-13T18:22:21.699000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:05:35+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:23808"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression"
}
]
}
RHSA-2026:24502
Vulnerability from csaf_redhat - Published: 2026-06-10 12:09 - Updated: 2026-07-09 15:32A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.33.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.33::el8
|
— |
Vendor Fix
fix
|
A flaw was found in Netty. Netty's DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.33.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.33::el8
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in Netty's HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.33.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.33::el8
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.33.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.33::el8
|
— |
Vendor Fix
fix
|
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.33.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.33::el8
|
— |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:24502 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/products/quarkus/ | external |
| https://access.redhat.com/jbossnetwork/restricted… | external |
| https://docs.redhat.com/en/documentation/red_hat_… | external |
| https://issues.redhat.com/browse/QUARKUS-7634 | external |
| https://issues.redhat.com/browse/QUARKUS-7635 | external |
| https://issues.redhat.com/browse/QUARKUS-7636 | external |
| https://issues.redhat.com/browse/QUARKUS-7637 | external |
| https://issues.redhat.com/browse/QUARKUS-7638 | external |
| https://issues.redhat.com/browse/QUARKUS-7639 | external |
| https://issues.redhat.com/browse/QUARKUS-7640 | external |
| https://issues.redhat.com/browse/QUARKUS-7641 | external |
| https://issues.redhat.com/browse/QUARKUS-7642 | external |
| https://issues.redhat.com/browse/QUARKUS-7643 | external |
| https://issues.redhat.com/browse/QUARKUS-7644 | external |
| https://issues.redhat.com/browse/QUARKUS-7645 | external |
| https://issues.redhat.com/browse/QUARKUS-7646 | external |
| https://issues.redhat.com/browse/QUARKUS-7647 | external |
| https://issues.redhat.com/browse/QUARKUS-7648 | external |
| https://issues.redhat.com/browse/QUARKUS-7649 | external |
| https://issues.redhat.com/browse/QUARKUS-7650 | external |
| https://issues.redhat.com/browse/QUARKUS-7651 | external |
| https://issues.redhat.com/browse/QUARKUS-7652 | external |
| https://issues.redhat.com/browse/QUARKUS-7653 | external |
| https://issues.redhat.com/browse/QUARKUS-7654 | external |
| https://issues.redhat.com/browse/QUARKUS-7655 | external |
| https://issues.redhat.com/browse/QUARKUS-7656 | external |
| https://issues.redhat.com/browse/QUARKUS-7657 | external |
| https://issues.redhat.com/browse/QUARKUS-7658 | external |
| https://issues.redhat.com/browse/QUARKUS-7659 | external |
| https://issues.redhat.com/browse/QUARKUS-7660 | external |
| https://issues.redhat.com/browse/QUARKUS-7661 | external |
| https://issues.redhat.com/browse/QUARKUS-7666 | external |
| https://issues.redhat.com/browse/QUARKUS-7686 | external |
| https://issues.redhat.com/browse/QUARKUS-7727 | external |
| https://issues.redhat.com/browse/QUARKUS-7728 | external |
| https://issues.redhat.com/browse/QUARKUS-7729 | external |
| https://issues.redhat.com/browse/QUARKUS-7730 | external |
| https://issues.redhat.com/browse/QUARKUS-7731 | external |
| https://issues.redhat.com/browse/QUARKUS-7732 | external |
| https://issues.redhat.com/browse/QUARKUS-7733 | external |
| https://issues.redhat.com/browse/QUARKUS-7734 | external |
| https://issues.redhat.com/browse/QUARKUS-7735 | external |
| https://issues.redhat.com/browse/QUARKUS-7736 | external |
| https://issues.redhat.com/browse/QUARKUS-7737 | external |
| https://issues.redhat.com/browse/QUARKUS-7738 | external |
| https://issues.redhat.com/browse/QUARKUS-7739 | external |
| https://issues.redhat.com/browse/QUARKUS-7740 | external |
| https://issues.redhat.com/browse/QUARKUS-7741 | external |
| https://issues.redhat.com/browse/QUARKUS-7742 | external |
| https://issues.redhat.com/browse/QUARKUS-7743 | external |
| https://issues.redhat.com/browse/QUARKUS-7744 | external |
| https://issues.redhat.com/browse/QUARKUS-7745 | external |
| https://issues.redhat.com/browse/QUARKUS-7746 | external |
| https://issues.redhat.com/browse/QUARKUS-7747 | external |
| https://issues.redhat.com/browse/QUARKUS-7748 | external |
| https://issues.redhat.com/browse/QUARKUS-7749 | external |
| https://issues.redhat.com/browse/QUARKUS-7750 | external |
| https://issues.redhat.com/browse/QUARKUS-7751 | external |
| https://issues.redhat.com/browse/QUARKUS-7752 | external |
| https://issues.redhat.com/browse/QUARKUS-7753 | external |
| https://issues.redhat.com/browse/QUARKUS-7754 | external |
| https://issues.redhat.com/browse/QUARKUS-7783 | external |
| https://issues.redhat.com/browse/QUARKUS-7784 | external |
| https://issues.redhat.com/browse/QUARKUS-7785 | external |
| https://issues.redhat.com/browse/QUARKUS-7786 | external |
| https://issues.redhat.com/browse/QUARKUS-7787 | external |
| https://issues.redhat.com/browse/QUARKUS-7788 | external |
| https://issues.redhat.com/browse/QUARKUS-7789 | external |
| https://issues.redhat.com/browse/QUARKUS-7790 | external |
| https://issues.redhat.com/browse/QUARKUS-7791 | external |
| https://issues.redhat.com/browse/QUARKUS-7795 | external |
| https://issues.redhat.com/browse/QUARKUS-7796 | external |
| https://issues.redhat.com/browse/QUARKUS-7797 | external |
| https://issues.redhat.com/browse/QUARKUS-7798 | external |
| https://issues.redhat.com/browse/QUARKUS-7799 | external |
| https://issues.redhat.com/browse/QUARKUS-7810 | external |
| https://issues.redhat.com/browse/QUARKUS-7811 | external |
| https://issues.redhat.com/browse/QUARKUS-7843 | external |
| https://issues.redhat.com/browse/QUARKUS-7863 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-42578 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477226 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42578 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42578 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42579 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477217 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42579 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42579 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42581 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477232 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42581 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42581 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42584 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477224 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42584 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42584 | external |
| https://github.com/netty/netty/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42587 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477220 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42587 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42587 | external |
| https://github.com/netty/netty/security/advisorie… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.33.2 includes the following CVE fixes:\n\n* netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation [quarkus-3.33] (CVE-2026-42578)\n\n* netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers [quarkus-3.33] (CVE-2026-42581)\n\n* netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion [quarkus-3.33] (CVE-2026-42584)\n\n* netty-codec-http: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression [quarkus-3.33] (CVE-2026-42587)\n\n* netty-codec-dns: Netty: High integrity impact due to improper DNS domain name constraint enforcement [quarkus-3.33] (CVE-2026-42579)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:24502",
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.33.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.33.2"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.33",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.33"
},
{
"category": "external",
"summary": "QUARKUS-7634",
"url": "https://issues.redhat.com/browse/QUARKUS-7634"
},
{
"category": "external",
"summary": "QUARKUS-7635",
"url": "https://issues.redhat.com/browse/QUARKUS-7635"
},
{
"category": "external",
"summary": "QUARKUS-7636",
"url": "https://issues.redhat.com/browse/QUARKUS-7636"
},
{
"category": "external",
"summary": "QUARKUS-7637",
"url": "https://issues.redhat.com/browse/QUARKUS-7637"
},
{
"category": "external",
"summary": "QUARKUS-7638",
"url": "https://issues.redhat.com/browse/QUARKUS-7638"
},
{
"category": "external",
"summary": "QUARKUS-7639",
"url": "https://issues.redhat.com/browse/QUARKUS-7639"
},
{
"category": "external",
"summary": "QUARKUS-7640",
"url": "https://issues.redhat.com/browse/QUARKUS-7640"
},
{
"category": "external",
"summary": "QUARKUS-7641",
"url": "https://issues.redhat.com/browse/QUARKUS-7641"
},
{
"category": "external",
"summary": "QUARKUS-7642",
"url": "https://issues.redhat.com/browse/QUARKUS-7642"
},
{
"category": "external",
"summary": "QUARKUS-7643",
"url": "https://issues.redhat.com/browse/QUARKUS-7643"
},
{
"category": "external",
"summary": "QUARKUS-7644",
"url": "https://issues.redhat.com/browse/QUARKUS-7644"
},
{
"category": "external",
"summary": "QUARKUS-7645",
"url": "https://issues.redhat.com/browse/QUARKUS-7645"
},
{
"category": "external",
"summary": "QUARKUS-7646",
"url": "https://issues.redhat.com/browse/QUARKUS-7646"
},
{
"category": "external",
"summary": "QUARKUS-7647",
"url": "https://issues.redhat.com/browse/QUARKUS-7647"
},
{
"category": "external",
"summary": "QUARKUS-7648",
"url": "https://issues.redhat.com/browse/QUARKUS-7648"
},
{
"category": "external",
"summary": "QUARKUS-7649",
"url": "https://issues.redhat.com/browse/QUARKUS-7649"
},
{
"category": "external",
"summary": "QUARKUS-7650",
"url": "https://issues.redhat.com/browse/QUARKUS-7650"
},
{
"category": "external",
"summary": "QUARKUS-7651",
"url": "https://issues.redhat.com/browse/QUARKUS-7651"
},
{
"category": "external",
"summary": "QUARKUS-7652",
"url": "https://issues.redhat.com/browse/QUARKUS-7652"
},
{
"category": "external",
"summary": "QUARKUS-7653",
"url": "https://issues.redhat.com/browse/QUARKUS-7653"
},
{
"category": "external",
"summary": "QUARKUS-7654",
"url": "https://issues.redhat.com/browse/QUARKUS-7654"
},
{
"category": "external",
"summary": "QUARKUS-7655",
"url": "https://issues.redhat.com/browse/QUARKUS-7655"
},
{
"category": "external",
"summary": "QUARKUS-7656",
"url": "https://issues.redhat.com/browse/QUARKUS-7656"
},
{
"category": "external",
"summary": "QUARKUS-7657",
"url": "https://issues.redhat.com/browse/QUARKUS-7657"
},
{
"category": "external",
"summary": "QUARKUS-7658",
"url": "https://issues.redhat.com/browse/QUARKUS-7658"
},
{
"category": "external",
"summary": "QUARKUS-7659",
"url": "https://issues.redhat.com/browse/QUARKUS-7659"
},
{
"category": "external",
"summary": "QUARKUS-7660",
"url": "https://issues.redhat.com/browse/QUARKUS-7660"
},
{
"category": "external",
"summary": "QUARKUS-7661",
"url": "https://issues.redhat.com/browse/QUARKUS-7661"
},
{
"category": "external",
"summary": "QUARKUS-7666",
"url": "https://issues.redhat.com/browse/QUARKUS-7666"
},
{
"category": "external",
"summary": "QUARKUS-7686",
"url": "https://issues.redhat.com/browse/QUARKUS-7686"
},
{
"category": "external",
"summary": "QUARKUS-7727",
"url": "https://issues.redhat.com/browse/QUARKUS-7727"
},
{
"category": "external",
"summary": "QUARKUS-7728",
"url": "https://issues.redhat.com/browse/QUARKUS-7728"
},
{
"category": "external",
"summary": "QUARKUS-7729",
"url": "https://issues.redhat.com/browse/QUARKUS-7729"
},
{
"category": "external",
"summary": "QUARKUS-7730",
"url": "https://issues.redhat.com/browse/QUARKUS-7730"
},
{
"category": "external",
"summary": "QUARKUS-7731",
"url": "https://issues.redhat.com/browse/QUARKUS-7731"
},
{
"category": "external",
"summary": "QUARKUS-7732",
"url": "https://issues.redhat.com/browse/QUARKUS-7732"
},
{
"category": "external",
"summary": "QUARKUS-7733",
"url": "https://issues.redhat.com/browse/QUARKUS-7733"
},
{
"category": "external",
"summary": "QUARKUS-7734",
"url": "https://issues.redhat.com/browse/QUARKUS-7734"
},
{
"category": "external",
"summary": "QUARKUS-7735",
"url": "https://issues.redhat.com/browse/QUARKUS-7735"
},
{
"category": "external",
"summary": "QUARKUS-7736",
"url": "https://issues.redhat.com/browse/QUARKUS-7736"
},
{
"category": "external",
"summary": "QUARKUS-7737",
"url": "https://issues.redhat.com/browse/QUARKUS-7737"
},
{
"category": "external",
"summary": "QUARKUS-7738",
"url": "https://issues.redhat.com/browse/QUARKUS-7738"
},
{
"category": "external",
"summary": "QUARKUS-7739",
"url": "https://issues.redhat.com/browse/QUARKUS-7739"
},
{
"category": "external",
"summary": "QUARKUS-7740",
"url": "https://issues.redhat.com/browse/QUARKUS-7740"
},
{
"category": "external",
"summary": "QUARKUS-7741",
"url": "https://issues.redhat.com/browse/QUARKUS-7741"
},
{
"category": "external",
"summary": "QUARKUS-7742",
"url": "https://issues.redhat.com/browse/QUARKUS-7742"
},
{
"category": "external",
"summary": "QUARKUS-7743",
"url": "https://issues.redhat.com/browse/QUARKUS-7743"
},
{
"category": "external",
"summary": "QUARKUS-7744",
"url": "https://issues.redhat.com/browse/QUARKUS-7744"
},
{
"category": "external",
"summary": "QUARKUS-7745",
"url": "https://issues.redhat.com/browse/QUARKUS-7745"
},
{
"category": "external",
"summary": "QUARKUS-7746",
"url": "https://issues.redhat.com/browse/QUARKUS-7746"
},
{
"category": "external",
"summary": "QUARKUS-7747",
"url": "https://issues.redhat.com/browse/QUARKUS-7747"
},
{
"category": "external",
"summary": "QUARKUS-7748",
"url": "https://issues.redhat.com/browse/QUARKUS-7748"
},
{
"category": "external",
"summary": "QUARKUS-7749",
"url": "https://issues.redhat.com/browse/QUARKUS-7749"
},
{
"category": "external",
"summary": "QUARKUS-7750",
"url": "https://issues.redhat.com/browse/QUARKUS-7750"
},
{
"category": "external",
"summary": "QUARKUS-7751",
"url": "https://issues.redhat.com/browse/QUARKUS-7751"
},
{
"category": "external",
"summary": "QUARKUS-7752",
"url": "https://issues.redhat.com/browse/QUARKUS-7752"
},
{
"category": "external",
"summary": "QUARKUS-7753",
"url": "https://issues.redhat.com/browse/QUARKUS-7753"
},
{
"category": "external",
"summary": "QUARKUS-7754",
"url": "https://issues.redhat.com/browse/QUARKUS-7754"
},
{
"category": "external",
"summary": "QUARKUS-7783",
"url": "https://issues.redhat.com/browse/QUARKUS-7783"
},
{
"category": "external",
"summary": "QUARKUS-7784",
"url": "https://issues.redhat.com/browse/QUARKUS-7784"
},
{
"category": "external",
"summary": "QUARKUS-7785",
"url": "https://issues.redhat.com/browse/QUARKUS-7785"
},
{
"category": "external",
"summary": "QUARKUS-7786",
"url": "https://issues.redhat.com/browse/QUARKUS-7786"
},
{
"category": "external",
"summary": "QUARKUS-7787",
"url": "https://issues.redhat.com/browse/QUARKUS-7787"
},
{
"category": "external",
"summary": "QUARKUS-7788",
"url": "https://issues.redhat.com/browse/QUARKUS-7788"
},
{
"category": "external",
"summary": "QUARKUS-7789",
"url": "https://issues.redhat.com/browse/QUARKUS-7789"
},
{
"category": "external",
"summary": "QUARKUS-7790",
"url": "https://issues.redhat.com/browse/QUARKUS-7790"
},
{
"category": "external",
"summary": "QUARKUS-7791",
"url": "https://issues.redhat.com/browse/QUARKUS-7791"
},
{
"category": "external",
"summary": "QUARKUS-7795",
"url": "https://issues.redhat.com/browse/QUARKUS-7795"
},
{
"category": "external",
"summary": "QUARKUS-7796",
"url": "https://issues.redhat.com/browse/QUARKUS-7796"
},
{
"category": "external",
"summary": "QUARKUS-7797",
"url": "https://issues.redhat.com/browse/QUARKUS-7797"
},
{
"category": "external",
"summary": "QUARKUS-7798",
"url": "https://issues.redhat.com/browse/QUARKUS-7798"
},
{
"category": "external",
"summary": "QUARKUS-7799",
"url": "https://issues.redhat.com/browse/QUARKUS-7799"
},
{
"category": "external",
"summary": "QUARKUS-7810",
"url": "https://issues.redhat.com/browse/QUARKUS-7810"
},
{
"category": "external",
"summary": "QUARKUS-7811",
"url": "https://issues.redhat.com/browse/QUARKUS-7811"
},
{
"category": "external",
"summary": "QUARKUS-7843",
"url": "https://issues.redhat.com/browse/QUARKUS-7843"
},
{
"category": "external",
"summary": "QUARKUS-7863",
"url": "https://issues.redhat.com/browse/QUARKUS-7863"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_24502.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.33.2 release and security update",
"tracking": {
"current_release_date": "2026-07-09T15:32:15+00:00",
"generator": {
"date": "2026-07-09T15:32:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:24502",
"initial_release_date": "2026-06-10T12:09:05+00:00",
"revision_history": [
{
"date": "2026-06-10T12:09:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-11T12:08:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T15:32:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.33.2",
"product": {
"name": "Red Hat build of Quarkus 3.33.2",
"product_id": "Red Hat build of Quarkus 3.33.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.33::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42578",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-05-13T19:02:00.826936+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.33.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42578"
},
{
"category": "external",
"summary": "RHBZ#2477226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42578",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42578"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr",
"url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
}
],
"release_date": "2026-05-13T17:57:43.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:09:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation"
},
{
"cve": "CVE-2026-42579",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-05-13T19:01:25.062732+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477217"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. Netty\u0027s DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important integrity flaw in Netty\u0027s DNS codec. The vulnerability arises from insufficient enforcement of RFC 1035 domain name constraints during both encoding and decoding, allowing remote attackers to manipulate DNS responses or user-controlled hostnames. This could lead to a high integrity impact on affected Red Hat products that utilize the vulnerable Netty DNS codec.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.33.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42579"
},
{
"category": "external",
"summary": "RHBZ#2477217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42579",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42579"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm",
"url": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm"
}
],
"release_date": "2026-05-13T18:01:52.500000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:09:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement"
},
{
"cve": "CVE-2026-42581",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-05-13T19:02:26.404511+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477232"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw. Netty\u0027s HttpObjectDecoder, used across various Red Hat products, improperly handles conflicting `Transfer-Encoding: chunked` and `Content-Length` headers in HTTP/1.0 requests. This allows a remote attacker to perform HTTP request smuggling, potentially bypassing security controls or gaining unauthorized access to information due to misinterpretation of message boundaries by downstream proxies or handlers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.33.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42581"
},
{
"category": "external",
"summary": "RHBZ#2477232",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477232"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42581",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42581"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9",
"url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9"
}
],
"release_date": "2026-05-13T17:54:44.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:09:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure any reverse proxies or load balancers in front of Netty to either reject HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers, or to explicitly prioritize the Transfer-Encoding header over Content-Length for HTTP/1.0 traffic. This ensures consistent interpretation of message boundaries and prevents request smuggling attacks.",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers"
},
{
"cve": "CVE-2026-42584",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-05-13T19:01:51.846351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477224"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in Netty\u0027s HttpClientCodec allows a remote attacker to cause data confusion. By sending a specially crafted sequence of HTTP responses, an attacker can cause subsequent HTTP responses to be parsed incorrectly, potentially leading to information disclosure or data integrity issues in applications utilizing Netty for HTTP client operations. This vulnerability affects various Red Hat products that bundle Netty, including Red Hat AMQ, Enterprise Application Platform, Red Hat Build of Quarkus, and Red Hat Build of Keycloak.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.33.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42584"
},
{
"category": "external",
"summary": "RHBZ#2477224",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42584",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42584"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
}
],
"release_date": "2026-05-13T18:10:48.437000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:09:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion"
},
{
"cve": "CVE-2026-42587",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-13T19:01:35.415881+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477220"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Netty\u0027s HTTP content decompression. A remote attacker can exploit this flaw by sending specially crafted compressed payloads using Brotli, Zstandard, or Snappy encodings, bypassing configured decompression limits. This leads to unbounded memory allocation, potentially causing an out-of-memory condition and rendering affected Red Hat systems unavailable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.33.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42587"
},
{
"category": "external",
"summary": "RHBZ#2477220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42587",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42587"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
}
],
"release_date": "2026-05-13T18:22:21.699000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T12:09:05+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24502"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.33.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.