By vendor

Netty vulnerabilities

Known CVEs affecting Netty products, prioritized by severity, with SEC.co remediation and detection guidance.

1 published vulnerability

  • CVE-2026-41207MEDIUM 5.3

    A vulnerability exists in Netty's binary HTTP parser (netty-incubator-codec-ohttp) where cryptographic key generation can fail silently and default to all-zero keys without raising an error. This occurs in the HKDF_expand and EVP_HPKE_CTX_export functions, which are supposed to generate random key material for encrypting HTTP responses. Instead of signaling failure, these functions return zero-filled byte arrays that are indistinguishable from legitimate keys. An attacker who understands this behavior could predict the encryption keys and decrypt sensitive response data, compromising the confidentiality of encrypted messages. The issue was resolved in version 0.0.21.Final.