{
  "threat_severity" : "Important",
  "public_date" : "2026-03-27T19:54:15Z",
  "bugzilla" : {
    "description" : "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values",
    "id" : "2452453",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.", "A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Broker 7.12.7",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:14276",
    "cpe" : "cpe:/a:redhat:amq_broker:7.12",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat AMQ Broker 7.13.5",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:14272",
    "cpe" : "cpe:/a:redhat:amq_broker:7.13",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat AMQ Broker 7.14.0",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8509",
    "cpe" : "cpe:/a:redhat:amq_broker:7.14",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
    "release_date" : "2026-04-14T00:00:00Z",
    "advisory" : "RHSA-2026:8159",
    "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.27",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.20.6",
    "release_date" : "2026-04-14T00:00:00Z",
    "advisory" : "RHSA-2026:7109",
    "cpe" : "cpe:/a:redhat:quarkus:3.20::el8",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.27.3",
    "release_date" : "2026-04-14T00:00:00Z",
    "advisory" : "RHSA-2026:7380",
    "cpe" : "cpe:/a:redhat:quarkus:3.27::el8",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18059",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9",
    "package" : "netty-codec-http"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18054",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8",
    "package" : "eap8-netty-0:4.1.132-1.Final_redhat_00001.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18054",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8",
    "package" : "eap8-netty-transport-native-epoll-0:4.1.132-1.Final_redhat_00001.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18055",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9",
    "package" : "eap8-netty-0:4.1.132-1.Final_redhat_00001.1.el9eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18055",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9",
    "package" : "eap8-netty-transport-native-epoll-0:4.1.132-1.Final_redhat_00001.1.el9eap"
  }, {
    "product_name" : "Streams for Apache Kafka 3.2.0",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13571",
    "cpe" : "cpe:/a:redhat:amq_streams:3.2::el9"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.25",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10184",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9",
    "package" : "rhoai/odh-modelmesh-rhel9:1776756834"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/openvsx-rhel9:1776716842"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/pluginregistry-rhel9:1776717247"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/server-rhel9:1776796445"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 4",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch6-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-operator-bundle",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-proxy-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-rhel9-operator",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/kibana6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/logging-curator5-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat AMQ Clients",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_clients:2023"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Will not fix",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Will not fix",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "bazel6",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "bazel7",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "bazel8",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Will not fix",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-modelmesh-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-trustyai-service-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-trustyai-service-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "candlepin",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "satellite:el8/candlepin",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Will not fix",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Affected",
    "package_name" : "netty-codec-http",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33870\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33870\nhttps://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8\nhttps://w4ke.info/2025/06/18/funky-chunks.html\nhttps://w4ke.info/2025/10/29/funky-chunks-2.html\nhttps://www.rfc-editor.org/rfc/rfc9110" ],
  "name" : "CVE-2026-33870",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}