Bug#1136023: netty: CVE-2026-41417
Moritz Mühlenhoff
jmm at inutil.org
Fri May 8 15:22:21 BST 2026
Source: netty
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for netty.
CVE-2026-41417[0]:
| Netty allows request-line validation to be bypassed when a
| `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first
| and its URI is later changed via `setUri()`. The constructors reject
| CRLF and whitespace characters that would break the start-line, but
| `setUri()` does not apply the same validation. `HttpRequestEncoder`
| and `RtspEncoder` then write the URI into the request line verbatim.
| If attacker-controlled input reaches `setUri()`, this enables CRLF
| injection and insertion of additional HTTP or RTSP requests, leading
| to HTTP request smuggling or desynchronization on the HTTP side and
| request injection on the RTSP side. This issue is fixed in versions
| 4.2.13.Final and 4.1.133.Final.
https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41417
https://www.cve.org/CVERecord?id=CVE-2026-41417
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list