Vulnerability-Lookup

RHSA-2026:8159

Vulnerability from csaf_redhat - Published: 2026-04-14 17:20 - Updated: 2026-04-15 02:27

Summary

Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.GA)

Severity

Important

Notes

Topic: An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.GA). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.

Details: An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.GA). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products: * vertx-core: static handler component cache can be manipulated to deny the access to static files (CVE-2026-1002) * netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values (CVE-2026-33870) * netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-1002

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Vendor Fix Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). https://access.redhat.com/errata/RHSA-2026:8159

Workaround To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example: ~~~ StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); ~~~

CVE-2026-33870

A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

CVE-2026-33871

A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:8159	self
	https://access.redhat.com/security/updates/classi…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2430180	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2452453	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2452456	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2026-1002	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2430180	external
	https://www.cve.org/CVERecord?id=CVE-2026-1002	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-1002	external
	https://github.com/eclipse-vertx/vert.x/pull/5895	external
	https://access.redhat.com/security/cve/CVE-2026-33870	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2452453	external
	https://www.cve.org/CVERecord?id=CVE-2026-33870	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33870	external
	https://github.com/netty/netty/security/advisorie…	external
	https://w4ke.info/2025/06/18/funky-chunks.html	external
	https://w4ke.info/2025/10/29/funky-chunks-2.html	external
	https://www.rfc-editor.org/rfc/rfc9110	external
	https://access.redhat.com/security/cve/CVE-2026-33871	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2452456	external
	https://www.cve.org/CVERecord?id=CVE-2026-33871	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33871	external
	https://github.com/netty/netty/security/advisorie…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* vertx-core: static handler component cache can be manipulated to deny the access to static files (CVE-2026-1002)\n* netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values (CVE-2026-33870)\n* netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:8159",
        "url": "https://access.redhat.com/errata/RHSA-2026:8159"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2430180",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
      },
      {
        "category": "external",
        "summary": "2452453",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"
      },
      {
        "category": "external",
        "summary": "2452456",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452456"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8159.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.GA)",
    "tracking": {
      "current_release_date": "2026-04-15T02:27:26+00:00",
      "generator": {
        "date": "2026-04-15T02:27:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2026:8159",
      "initial_release_date": "2026-04-14T17:20:53+00:00",
      "revision_history": [
        {
          "date": "2026-04-14T17:20:53+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-14T17:20:53+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-15T02:27:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
                "product": {
                  "name": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
                  "product_id": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:apache_camel_quarkus:3.27"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Build of Apache Camel"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-1002",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-01-15T21:03:20.088599+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2430180"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability allows a remote attacker to block access to specific static files, such as images, CSS or HTML files. However, the underlying Vert.x server, the API endpoints and other non-cached resources are not affected. Due to this reason, this issue has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "RHBZ#2430180",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-1002",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse-vertx/vert.x/pull/5895",
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "release_date": "2026-01-15T20:50:25.642000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:20:53+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n        The References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:8159"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example:\n\n~~~\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\n~~~",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files"
    },
    {
      "cve": "CVE-2026-33870",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-03-27T21:01:59.865839+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2452453"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33870"
        },
        {
          "category": "external",
          "summary": "RHBZ#2452453",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33870",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
        },
        {
          "category": "external",
          "summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
          "url": "https://w4ke.info/2025/06/18/funky-chunks.html"
        },
        {
          "category": "external",
          "summary": "https://w4ke.info/2025/10/29/funky-chunks-2.html",
          "url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
        },
        {
          "category": "external",
          "summary": "https://www.rfc-editor.org/rfc/rfc9110",
          "url": "https://www.rfc-editor.org/rfc/rfc9110"
        }
      ],
      "release_date": "2026-03-27T19:54:15.586000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:20:53+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n        The References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:8159"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values"
    },
    {
      "cve": "CVE-2026-33871",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-03-27T21:02:13.396015+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2452456"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server\u0027s lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This important vulnerability in Netty HTTP/2 servers allows a remote attacker to cause a Denial of Service by sending a flood of CONTINUATION frames. This can lead to excessive CPU consumption and render the server unresponsive. Red Hat products utilizing affected Netty versions, such as Red Hat AMQ, Enterprise Application Platform, and OpenShift Container Platform components, are impacted if configured to use HTTP/2.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33871"
        },
        {
          "category": "external",
          "summary": "RHBZ#2452456",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452456"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33871",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv"
        }
      ],
      "release_date": "2026-03-27T19:55:23.135000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:20:53+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n        The References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:8159"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood"
    }
  ]
}

CVE-2026-33870 (GCVE-0-2026-33870)

Vulnerability from cvelistv5 – Published: 2026-03-27 19:54 – Updated: 2026-03-31 13:55

Title

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Summary

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM
	https://w4ke.info/2025/06/18/funky-chunks.html	x_refsource_MISC
	https://w4ke.info/2025/10/29/funky-chunks-2.html	x_refsource_MISC
	https://www.rfc-editor.org/rfc/rfc9110	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	netty	netty	Affected: < 4.1.132.Final Affected: >= 4.2.0.Alpha1, < 4.2.10.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33870",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T13:55:28.970197Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T13:55:47.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.132.Final"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.10.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T19:54:15.586Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
        },
        {
          "name": "https://w4ke.info/2025/06/18/funky-chunks.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://w4ke.info/2025/06/18/funky-chunks.html"
        },
        {
          "name": "https://w4ke.info/2025/10/29/funky-chunks-2.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
        },
        {
          "name": "https://www.rfc-editor.org/rfc/rfc9110",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rfc-editor.org/rfc/rfc9110"
        }
      ],
      "source": {
        "advisory": "GHSA-pwqr-wmgm-9rr8",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33870",
    "datePublished": "2026-03-27T19:54:15.586Z",
    "dateReserved": "2026-03-24T15:10:05.678Z",
    "dateUpdated": "2026-03-31T13:55:47.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33871 (GCVE-0-2026-33871)

Vulnerability from cvelistv5 – Published: 2026-03-27 19:55 – Updated: 2026-03-31 18:54

Title

Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass

Summary

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

https://github.com/netty/netty/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	netty	netty	Affected: < 4.1.132.Final Affected: >= 4.2.0.Alpha1, < 4.2.10.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33871",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:51:31.168118Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T18:54:19.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.132.Final"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.10.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server\u0027s lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T19:55:23.135Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv"
        }
      ],
      "source": {
        "advisory": "GHSA-w9fj-cfpg-grvv",
        "discovery": "UNKNOWN"
      },
      "title": "Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33871",
    "datePublished": "2026-03-27T19:55:23.135Z",
    "dateReserved": "2026-03-24T15:10:05.679Z",
    "dateUpdated": "2026-03-31T18:54:19.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1002 (GCVE-0-2026-1002)

Vulnerability from cvelistv5 – Published: 2026-01-15 20:50 – Updated: 2026-01-15 21:09

Title

Eclipse Vert.x Web static handler file access denial

Summary

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CWE

CWE-444

Assigner

eclipse

References

URL

Tags

https://github.com/eclipse-vertx/vert.x/pull/5895

patch

Impacted products

	Vendor	Product	Version
	Eclipse Vert.x	Eclipse Vert.x	Affected: 4.0.0 , ≤ 4.5.23 (semver) Affected: 5.0.0 , ≤ 5.0.6 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1002",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-15T21:07:25.597990Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-15T21:09:22.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vert-x3/vertx-web/issues/2836"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "io.vertx",
          "product": "Eclipse Vert.x",
          "repo": "https://github.com/eclipse-vertx/vert.x",
          "vendor": "Eclipse Vert.x",
          "versions": [
            {
              "lessThanOrEqual": "4.5.23",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.0.6",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\u003c/p\u003e\n\u003cp\u003eThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/eclipse-vertx/vert.x/pull/5895\"\u003ehttps://github.com/eclipse-vertx/vert.x/pull/5895\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003e\n\u003ca target=\"_blank\" rel=\"nofollow\"\u003e\u003c/a\u003e\u003c/h2\u003e\u003ch2\u003eSteps to reproduce\u003c/h2\u003e\n\u003cp\u003eGiven a file served by the static handler, craft an URI that introduces a string like \u003ccode\u003ebar%2F..%2F\u003c/code\u003e after the last \u003ccode\u003e/\u003c/code\u003e char to deny the access to the URI with an HTTP 404 response. For example \u003ccode\u003ehttps://example.com/foo/index.html\u003c/code\u003e can be denied with \u003ccode\u003ehttps://example.com/foo/bar%2F..%2Findex.html\u003c/code\u003e\u003c/p\u003e\u003ch2\u003eMitgation\u003c/h2\u003e\n\u003cp\u003eDisabling Static Handler cache fixes the issue.\u003c/p\u003e\n\u003cdiv\u003e\n\u003cpre\u003e\u003ccode\u003eStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web):  https://github.com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-15T20:50:25.642Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Eclipse Vert.x Web static handler file access denial",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-1002",
    "datePublished": "2026-01-15T20:50:25.642Z",
    "dateReserved": "2026-01-15T18:23:48.276Z",
    "dateUpdated": "2026-01-15T21:09:22.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:8159

CVE-2026-33870 (GCVE-0-2026-33870)

CVE-2026-33871 (GCVE-0-2026-33871)

CVE-2026-1002 (GCVE-0-2026-1002)

Tags

Sightings

Nomenclature