CVE-2026-48480 in netty-incubator-codec-ohttpinformação

Sumário

de MITRE • 04/06/2026

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub M

Reservar

21/05/2026

Divulgação

04/06/2026

Moderação

aceite

Entrada

VDB-368405

CPE

pronto

CWE

CWE-325 (confirmado)

CVSS

5.3 (VulDB)

EPSS

0.00000

KEV

não

Atividades

baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-48480
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-48480
CVE Details	https://www.cvedetails.com/cve/CVE-2026-48480/

◂ Voltar Visão Geral Próximo ▸

Do you know our Splunk app?

Download it now for free!