CVE-2026-33870
HIGHCVSS v3.1: 7.5 · EPSS: 0.0046 (36.4 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.5 v3.1 · NVD
- EPSS
- 0.0046 (36.4 percentile) · FIRST.org
- CISA KEV
- No
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Affected vendors
- netty
- Published
- 2026-03-27 · Modified: 2026-06-30
- References
- Jump to references (8)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Vendor advisory https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8
- Reference https://w4ke.info/2025/06/18/funky-chunks.html
- Reference https://w4ke.info/2025/10/29/funky-chunks-2.html
- Reference https://www.rfc-editor.org/rfc/rfc9110
- Distro https://access.redhat.com/errata/RHSA-2026:10175
- Distro https://access.redhat.com/errata/RHSA-2026:10184
- Distro https://access.redhat.com/errata/RHSA-2026:13571
- Distro https://access.redhat.com/errata/RHSA-2026:14272