SB2026060936 - Ubuntu update for netty

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026060936

SB2026060936 - Ubuntu update for netty

Published: June 9, 2026

Security Bulletin ID SB2026060936
CSH Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 17% Medium 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) HTTP response splitting (CVE-ID: CVE-2026-42578)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP headers into CONNECT proxy requests.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in io.netty.handler.proxy.HttpProxyHandler newInitialMessage() when handling user-influenced outbound headers. A remote attacker can supply crafted header values containing CRLF sequences to inject arbitrary HTTP headers into CONNECT proxy requests.

Exploitation requires an application to use HttpProxyHandler with user-influenced outboundHeaders without performing its own CRLF sanitization.


2) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42579)

CWE-ID: CWE-626 - Null Byte Interaction Error (Poison Null Byte)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass domain validation and poison DNS caches.

The vulnerability exists due to improper input validation in io.netty.handler.codec.dns.DnsCodecUtil encodeDomainName() when encoding user-influenced domain names. A remote attacker can supply a crafted domain name containing null bytes, overlength labels, or empty labels to bypass domain validation and poison DNS caches.

The issue affects the encoder path and relies on applications using user-influenced hostnames to construct DNS queries.


3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42581)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform request smuggling.

The vulnerability exists due to improper input validation in HttpObjectDecoder when processing HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. A remote attacker can send a specially crafted HTTP/1.0 request to perform request smuggling.

Exploitation requires Netty to be deployed behind a downstream proxy or handler that trusts Content-Length over Transfer-Encoding.


4) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42584)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disrupt HTTP parsing integrity and availability on the connection.

The vulnerability exists due to inconsistent interpretation of HTTP responses in HttpClientCodec when processing pipelined HTTP/1.1 responses that include a 1xx response before a GET response body and a subsequent HEAD response. A remote attacker can send a specially crafted sequence of HTTP responses to disrupt HTTP parsing integrity and availability on the connection.

Exploitation requires HTTP/1.1 pipelining, a HEAD request in the pipeline, and a server response sequence that includes a 1xx response.


5) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.

Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.


6) CRLF injection (CVE-ID: CVE-2026-42586)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to inject Redis commands or poison Redis responses.

The vulnerability exists due to improper neutralization of CRLF sequences in io.netty.handler.codec.redis.RedisEncoder when encoding user-controlled Redis message content. A remote attacker can supply crafted content containing CRLF characters to inject Redis commands or poison Redis responses.

The issue affects inline command mode and simple string or error response types, while RESP array format with binary-safe length-prefixed encoding is not affected.


Remediation

Install update from vendor's website.

References