Main Vulnerability Database SB2026051351

SB2026051351 - IBM DevOps Test Performance update for Netty

Published: May 13, 2026

Security Bulletin ID SB2026051351

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) CRLF injection (CVE-ID: CVE-2026-41417)

The vulnerability allows a remote attacker to inject additional HTTP or RTSP requests.

The vulnerability exists due to improper neutralization of CRLF sequences in DefaultHttpRequest.setUri() and DefaultFullHttpRequest.setUri() when encoding attacker-controlled URIs into request lines through HttpRequestEncoder or RtspEncoder. A remote attacker can supply a specially crafted URI containing CRLF sequences to inject additional HTTP or RTSP requests.

Exploitation requires an application to create the request object first, later modify it through setUri(), and then serialize it with HttpRequestEncoder or RtspEncoder.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7272707