CVE-2026-42580 Overview
CVE-2026-42580 affects Netty, an asynchronous event-driven network application framework widely embedded in Java-based servers, proxies, and microservices. The vulnerability resides in Netty's HTTP chunk size parser, which silently overflows a 32-bit integer when processing crafted chunk size values. Attackers exploit this parsing inconsistency to perform HTTP request smuggling against downstream systems. The flaw maps to [CWE-190: Integer Overflow or Wraparound]. Maintainers fixed the issue in Netty 4.2.13.Final and 4.1.133.Final.
Critical Impact
Remote, unauthenticated attackers can smuggle HTTP requests through Netty-based servers, bypassing front-end security controls and poisoning downstream request queues.
Affected Products
- Netty versions prior to 4.2.13.Final
- Netty versions prior to 4.1.133.Final
- Applications and frameworks embedding vulnerable Netty HTTP codecs
Discovery Timeline
- 2026-05-13 - CVE-2026-42580 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42580
Vulnerability Analysis
Netty implements HTTP/1.1 chunked transfer encoding through its HTTP codec module. The chunk size parser reads the hexadecimal chunk length from the wire and converts it to a native integer. The parser does not validate the resulting magnitude against Integer.MAX_VALUE before continuing. Sufficiently large chunk size values wrap around the signed 32-bit boundary and produce a small or negative value internally.
A front-end proxy and a Netty back-end then disagree on where one request ends and the next begins. This disagreement is the precondition for HTTP request smuggling. Attackers leverage the desynchronization to inject a second request that the back-end attributes to a different client.
Root Cause
The root cause is missing overflow detection in the chunk size conversion routine. The parser accepts the raw hexadecimal value, multiplies and accumulates digits, and stores the result as a signed int without checking for wraparound. The fixed releases reject chunk size declarations that exceed the representable range and terminate the connection rather than silently truncating.
Attack Vector
Exploitation requires only the ability to send HTTP requests to a Netty-fronted service. The attacker submits a request whose Transfer-Encoding: chunked body contains a chunk size header large enough to trigger the integer overflow. Where a reverse proxy interprets the chunk length correctly and Netty does not, the byte boundary between requests shifts. The attacker then appends a smuggled request prefix that the Netty back-end parses as a standalone follow-on request. The vulnerability is described in the Netty GitHub Security Advisory.
Detection Methods for CVE-2026-42580
Indicators of Compromise
- HTTP requests containing chunk size fields with abnormally large hexadecimal values approaching or exceeding 0x80000000
- Mismatched Content-Length and Transfer-Encoding headers in the same request
- Back-end access logs showing requests with no corresponding entry in front-end proxy logs
Detection Strategies
- Inspect HTTP/1.1 chunk size tokens at the proxy layer and reject values exceeding a sane upper bound such as 0x7FFFFFFF
- Compare request counts and URIs between front-end and back-end logs to surface desynchronization
- Apply web application firewall (WAF) signatures that flag malformed chunked encoding and ambiguous framing headers
Monitoring Recommendations
- Alert on Netty-based services that emit IllegalArgumentException or codec errors tied to chunk parsing
- Track unexpected response pairings where a client receives a response intended for another session
- Monitor for sudden bursts of 400 Bad Request responses from upstream proxies after deploying chunk validation
How to Mitigate CVE-2026-42580
Immediate Actions Required
- Upgrade Netty to 4.2.13.Final or 4.1.133.Final in all dependent applications and rebuild downstream artifacts
- Audit transitive dependencies in Maven and Gradle projects to confirm the patched Netty version is resolved at runtime
- Restart all services after deployment to ensure the updated codec is loaded
Patch Information
The Netty maintainers released fixes in versions 4.2.13.Final and 4.1.133.Final. The patched releases add explicit overflow checks to the chunk size parser and abort the connection when the declared chunk length cannot be represented. Refer to the Netty GitHub Security Advisory GHSA-m4cv-j2px-7723 for release notes and commit references.
Workarounds
- Deploy a strict HTTP-aware reverse proxy that normalizes or rejects chunked requests with oversized chunk size declarations
- Disable HTTP/1.1 keep-alive on Netty endpoints exposed to untrusted networks to reduce the impact of request queue desynchronization
- Enforce a maximum request body size at the load balancer to constrain attacker-controlled chunk values
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
