Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-13T18:12:39 netty: io.netty/netty-codec-http: Netty: Request smuggling via malformed Transfer-Encoding parsing 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CWE-444

A flaw was found in Netty. This vulnerability allows a remote attacker to perform request smuggling attacks due to incorrect parsing of malformed Transfer-Encoding headers. By exploiting this flaw, an attacker can bypass security controls and potentially access sensitive information or manipulate web traffic.

This Moderate flaw in Netty's HTTP codec allows for request smuggling attacks due to improper parsing of malformed Transfer-Encoding headers. An attacker could exploit this to bypass security controls, potentially leading to unauthorized access to sensitive information or manipulation of web traffic in Red Hat products utilizing affected Netty versions, particularly when deployed behind a proxy or load balancer. Cryostat 4 Fix deferred netty-codec-http OpenShift Serverless Fix deferred openshift-serverless-1/kn-ekb-dispatcher-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-ekb-receiver-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9 OpenShift Serverless Fix deferred openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9 Red Hat AMQ Broker 7 Fix deferred netty-codec-http Red Hat AMQ Clients Fix deferred netty-codec-http Red Hat build of Apache Camel 4 for Quarkus 3 Fix deferred netty-codec-http Red Hat build of Apache Camel for Spring Boot 4 Fix deferred netty-codec-http Red Hat build of Apicurio Registry 2 Fix deferred netty-codec-http Red Hat build of Apicurio Registry 3 Fix deferred netty-codec-http Red Hat build of Debezium 3 Fix deferred netty-codec-http Red Hat Build of Keycloak Fix deferred netty-codec-http Red Hat Build of Keycloak Fix deferred rhbk/keycloak-rhel9 Red Hat Build of Keycloak Fix deferred rhbk/keycloak-rhel9-operator Red Hat Build of Keycloak Fix deferred rhbk-openshift-rhel9/rhbk-openshift-rhel9 Red Hat Build of Keycloak Fix deferred rhbk-rhel9-operator/rhbk-rhel9-operator Red Hat build of OptaPlanner 8 Fix deferred netty-codec-http Red Hat build of Quarkus Fix deferred netty-codec-http Red Hat Data Grid 8 Fix deferred netty-codec-http Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected bazel6 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected bazel7 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected bazel8 Red Hat Fuse 7 Fix deferred netty-codec-http Red Hat JBoss Enterprise Application Platform 7 Affected netty-codec-http Red Hat JBoss Enterprise Application Platform 8 Affected netty-codec-http Red Hat JBoss Enterprise Application Platform Expansion Pack Fix deferred netty-codec-http Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-modelmesh-rhel8 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-modelmesh-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-spark-operator-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-th06-cpu-torch210-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-th06-cpu-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-th06-cuda130-torch210-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-th06-cuda130-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-th06-rocm64-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-trustyai-service-rhel8 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-trustyai-service-rhel9 Red Hat OpenShift Dev Spaces Fix deferred devspaces/multicluster-redirector-rhel9 Red Hat OpenShift Dev Spaces Fix deferred devspaces/openvsx-rhel9 Red Hat OpenShift Dev Spaces Fix deferred devspaces/pluginregistry-rhel9 Red Hat OpenShift Dev Spaces Fix deferred devspaces/server-rhel9 Red Hat Process Automation 7 Fix deferred netty-codec-http Red Hat Satellite 6 Not affected candlepin Red Hat Satellite 6 Not affected satellite:el8/candlepin Red Hat Single Sign-On 7 Fix deferred netty-codec-http streams for Apache Kafka 2 Fix deferred netty-codec-http streams for Apache Kafka 3 Fix deferred netty-codec-http https://www.cve.org/CVERecord?id=CVE-2026-42585 https://nvd.nist.gov/vuln/detail/CVE-2026-42585 https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv