Cyber Resilience

CVE-2026-42584

HighPublic PoCUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0063 45.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42584 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Netty Netty. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server…

more

sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33870Same product: Netty Netty
CVE-2026-42583Same product: Netty Netty
CVE-2026-42587Same product: Netty Netty
CVE-2026-33871Same product: Netty Netty
CVE-2026-42579Same product: Netty Netty
CVE-2026-42582Same product: Netty Netty
CVE-2026-42577Same product: Netty Netty
CVE-2025-24970Same product: Netty Netty
CVE-2026-40562Shared CWE-444
CVE-2026-41873Shared CWE-444

Affected Assets

netty
netty
≤ 4.1.133 · 4.2.0 — 4.2.13

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References