CVE-2026-33870 in Netty
Summary
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Responsible
GitHub_M
Reservation
03/24/2026
Disclosure
03/27/2026
Entries
VulDB provides additional information and datapoints for this CVE:
| ID | Vulnerability | CWE | Exp | Cou | CVE |
|---|---|---|---|---|---|
| 354033 | Netty request smuggling | 444 | Not defined | Official fix | CVE-2026-33870 |