Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-13T18:10:48 netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CWE-444

A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.

Important: A flaw in Netty's HttpClientCodec allows a remote attacker to cause data confusion. By sending a specially crafted sequence of HTTP responses, an attacker can cause subsequent HTTP responses to be parsed incorrectly, potentially leading to information disclosure or data integrity issues in applications utilizing Netty for HTTP client operations. This vulnerability affects various Red Hat products that bundle Netty, including Red Hat AMQ, Enterprise Application Platform, Red Hat Build of Quarkus, and Red Hat Build of Keycloak. Cryostat 4 Affected netty-codec-http OpenShift Serverless Affected openshift-serverless-1/kn-ekb-dispatcher-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-ekb-receiver-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9 OpenShift Serverless Affected openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9 Red Hat AMQ Broker 7 Affected netty-codec-http Red Hat AMQ Clients Affected netty-codec-http Red Hat build of Apache Camel 4 for Quarkus 3 Affected netty-codec-http Red Hat build of Apache Camel for Spring Boot 4 Affected netty-codec-http Red Hat build of Apicurio Registry 2 Affected netty-codec-http Red Hat build of Apicurio Registry 3 Affected netty-codec-http Red Hat build of Debezium 3 Affected netty-codec-http Red Hat Build of Keycloak Affected netty-codec-http Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9-operator Red Hat Build of Keycloak Affected rhbk-openshift-rhel9/rhbk-openshift-rhel9 Red Hat Build of Keycloak Affected rhbk-rhel9-operator/rhbk-rhel9-operator Red Hat build of OptaPlanner 8 Affected netty-codec-http Red Hat build of Quarkus Affected netty-codec-http Red Hat Data Grid 8 Affected netty-codec-http Red Hat Enterprise Linux AI (RHEL AI) 3 Affected bazel6 Red Hat Enterprise Linux AI (RHEL AI) 3 Affected bazel7 Red Hat Enterprise Linux AI (RHEL AI) 3 Affected bazel8 Red Hat Fuse 7 Will not fix netty-codec-http Red Hat JBoss Enterprise Application Platform 7 Affected netty-codec-http Red Hat JBoss Enterprise Application Platform 8 Affected netty-codec-http Red Hat JBoss Enterprise Application Platform Expansion Pack Will not fix netty-codec-http Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-modelmesh-rhel8 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-modelmesh-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-spark-operator-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-th06-cpu-torch210-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-th06-cpu-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-th06-cuda130-torch210-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-th06-cuda130-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-th06-rocm64-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-trustyai-service-rhel8 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-trustyai-service-rhel9 Red Hat OpenShift Dev Spaces Affected devspaces/multicluster-redirector-rhel9 Red Hat OpenShift Dev Spaces Affected devspaces/openvsx-rhel9 Red Hat OpenShift Dev Spaces Affected devspaces/pluginregistry-rhel9 Red Hat OpenShift Dev Spaces Affected devspaces/server-rhel9 Red Hat Process Automation 7 Affected netty-codec-http Red Hat Satellite 6 Affected candlepin Red Hat Satellite 6 Affected satellite:el8/candlepin Red Hat Single Sign-On 7 Affected netty-codec-http streams for Apache Kafka 2 Not affected netty-codec-http streams for Apache Kafka 3 Affected netty-codec-http https://www.cve.org/CVERecord?id=CVE-2026-42584 https://nvd.nist.gov/vuln/detail/CVE-2026-42584 https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3