MEDIUM 5.3

CVE-2026-41207: Netty OHTTP Silent Key Generation Failure Leading to Predictable Encryption Keys

A vulnerability exists in Netty's binary HTTP parser (netty-incubator-codec-ohttp) where cryptographic key generation can fail silently and default to all-zero keys without raising an error. This occurs in the HKDF_expand and EVP_HPKE_CTX_export functions, which are supposed to generate random key material for encrypting HTTP responses. Instead of signaling failure, these functions return zero-filled byte arrays that are indistinguishable from legitimate keys. An attacker who understands this behavior could predict the encryption keys and decrypt sensitive response data, compromising the confidentiality of encrypted messages. The issue was resolved in version 0.0.21.Final.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-330
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41207 affects the netty-incubator-codec-ohttp library, which implements the Oblivious HTTP (OHTTP) specification for privacy-preserving HTTP communication. The vulnerability stems from improper error handling in HKDF key derivation and HPKE context export operations. Both HKDF_expand and EVP_HPKE_CTX_export lack explicit failure signaling and instead return zero-initialized byte arrays when they should fail. These outputs flow directly into OHttpCrypto.createResponseAEAD(...), which uses them as AEAD encryption keys. Because zero-filled arrays are deterministic and predictable, the resulting encryption keys become constant across all affected communications—a critical weakness for symmetric encryption. The CVSS 3.1 score of 5.3 (MEDIUM) reflects the integrity/confidentiality risk without requiring authentication or user interaction, though successful exploitation still requires the attacker to identify when a key derivation has silently failed versus when it succeeded normally.

Business impact

Applications relying on netty-incubator-codec-ohttp for privacy-sensitive HTTP communication face potential exposure of encrypted payloads. Oblivious HTTP is designed for scenarios where a client wants to hide its request from an intermediary proxy while still communicating with an origin server. A silent key generation failure undermines that privacy guarantee by enabling an attacker (who may be the intermediary, a network observer, or an insider with key knowledge) to decrypt all OHTTP responses sent through the library. If OHTTP is used to protect sensitive API calls, form submissions, or authentication tokens, the business impact could include data breaches, privacy violations, and loss of customer trust. Organizations using pre-patched versions should immediately audit their encryption key derivation paths and assess whether any OHTTP connections were established before the patch was applied.

Affected systems

The vulnerability affects netty-incubator-codec-ohttp versions prior to 0.0.21.Final. The netty-incubator-codec-ohttp library is part of the Netty project's incubator modules and is used by applications that implement OHTTP as a privacy layer. If your application imports netty-incubator-codec-ohttp as a dependency and uses it for request/response encryption, it is potentially affected. This includes any microservice, gateway, or proxy that leverages OHTTP for client privacy. Projects should check their dependency trees (Maven, Gradle, or other build systems) to confirm whether they use this library and at what version.

Exploitability

This vulnerability requires network access to observe or intercept OHTTP-encrypted traffic, but no authentication or user interaction is needed. The exploit path is passive if the attacker can observe encrypted responses; it becomes active if the attacker can cause or detect OHTTP connections. However, the attacker must have prior knowledge that a key derivation failure occurred or must recognize the pattern of constant all-zero keys across multiple messages. In practice, exploitability is constrained by the attacker's ability to: (1) identify systems using vulnerable netty-incubator-codec-ohttp versions, (2) capture encrypted traffic, and (3) recognize when key derivation has failed versus succeeded. The vulnerability was not listed in CISA's Known Exploited Vulnerabilities catalog at time of publication, suggesting active exploitation is not yet widespread, though the simplicity of the flaw (zero-filled keys) makes it a moderate concern if discoverable.

Remediation

Upgrade netty-incubator-codec-ohttp to version 0.0.21.Final or later. This patch corrects the error handling in HKDF_expand and EVP_HPKE_CTX_export to properly signal failures and prevent silent key derivation with zero-filled outputs. Update your build configuration (Maven pom.xml, Gradle build.gradle, etc.) to reference the patched version, rebuild, and redeploy. Because this is a cryptographic fix, there is no safe interim workaround; patching is mandatory. If you are unable to patch immediately, consider disabling OHTTP functionality or isolating OHTTP endpoints from untrusted network paths.

Patch guidance

To remediate, update the netty-incubator-codec-ohttp dependency to version 0.0.21.Final or any later release. For Maven projects, locate the netty-incubator-codec-ohttp entry in your pom.xml and update the version tag. For Gradle, update the corresponding dependency line in build.gradle. After updating, run a full build and test cycle to confirm compatibility with your application. Netty incubator modules are designed to be forward-compatible, so upgrading to 0.0.21.Final should not break existing code; however, always validate in a staging environment before deploying to production. If your application pins to a specific Netty version, check the release notes for version 0.0.21.Final and later patch releases to ensure alignment with your Netty core version.

Detection guidance

To detect potential exploitation: (1) Search your dependency inventory for any use of netty-incubator-codec-ohttp with version prior to 0.0.21.Final. Most organizations use Software Composition Analysis (SCA) tools to track this; update your SCA policy to flag this CVE. (2) Enable logging in your OHTTP/Netty implementation to record key derivation successes and failures; a suspicious pattern of failures followed by constant encryption keys could indicate active exploitation. (3) Monitor for unexpected decryption failures or unusual traffic patterns on OHTTP endpoints. (4) If OHTTP traffic is captured (e.g., in packet captures or proxy logs), and you suspect a key derivation failure occurred, the encrypted payloads would become readable once the attacker recognized the all-zero key pattern. Review historical logs and traffic for any anomalies correlated with application behavior before the patch was deployed.

Why prioritize this

Although the CVSS score is 5.3 (MEDIUM), the nature of the flaw merits urgent prioritization for any organization using OHTTP: the vulnerability directly undermines the cryptographic integrity of encrypted HTTP responses, silently compromising confidentiality without detection. The attacker does not need elevated privileges or authentication, and the flaw is deterministic (zero keys are always predictable). If OHTTP is used to protect high-value requests (authentication, sensitive data queries, privacy-critical operations), the business impact is severe. The fact that this is a cryptographic failure, not a logic bug or denial-of-service issue, elevates the risk from a confidentiality standpoint. Prioritize patching if OHTTP is in use; if OHTTP is not in use, deprioritize accordingly.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects: Attack Vector Network (AV:N) — attacker needs network access to observe encrypted traffic; Attack Complexity Low (AC:L) — no unusual conditions or race conditions required; Privileges Required None (PR:N) — no authentication needed; User Interaction None (UI:N) — passive observation is sufficient; Scope Unchanged (S:U) — no boundary crossing; Confidentiality None (C:N) — CVSS does not score confidentiality impact in the traditional sense because the attack is a cryptanalytic bypass, not a direct information leak; Integrity Low (I:L) — attacker can forge or manipulate encrypted responses if keys are compromised; Availability None (A:N) — no denial of service. The MEDIUM rating arguably underweights the cryptographic nature of the flaw; organizations should assess their own risk tolerance for confidentiality breaches and adjust prioritization accordingly.

Frequently asked questions

What is OHTTP and why does this vulnerability matter?

Oblivious HTTP (OHTTP) is a privacy protocol that separates the HTTP request path from the HTTP origin server, allowing a client to hide its identity from intermediary proxies while still reaching the origin. This vulnerability silently breaks encryption key generation, allowing attackers who observe traffic to decrypt responses. If your service uses OHTTP to protect user privacy, this flaw directly undermines that goal.

Do I need to regenerate old encrypted data or invalidate old sessions?

If OHTTP responses were encrypted using the vulnerable library before patching, and an attacker observed those responses, they may have been decrypted using the predictable all-zero keys. You should assume any OHTTP traffic from before the patch is potentially compromised if it contained sensitive data. Review access logs and audit what data was transmitted over OHTTP connections prior to patching, and notify affected users if necessary.

Can I work around this without upgrading immediately?

No safe workaround exists. This is a cryptographic flaw—disabling OHTTP or using non-OHTTP channels is the only alternative to patching. Upgrading to 0.0.21.Final is the only secure fix.

How do I know if my application uses netty-incubator-codec-ohttp?

Check your project's dependency manifest (pom.xml for Maven, build.gradle for Gradle, etc.) and run a dependency tree report (e.g., 'mvn dependency:tree'). Search for netty-incubator-codec-ohttp in the output. If found, note the version and compare it against 0.0.21.Final. You can also use commercial SCA tools or open-source tools like Snyk or OWASP Dependency-Check to automate this discovery.

This analysis is provided for informational purposes and reflects publicly available information as of the vulnerability publication date. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Organizations should verify all patch versions, affected products, and remediation steps directly with the Netty project's official advisories and documentation. CVSS scores and risk assessments are general guidelines; your organization's risk tolerance and exposure may differ. If you believe you are affected, engage your security team and vendor immediately. This explainer does not constitute legal advice, security warranty, or endorsement of any specific remediation approach. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).