SB2026060963 - SUSE update for netty, netty-tcnative
Published: June 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) CRLF injection (CVE-ID: CVE-2026-41417)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject additional HTTP or RTSP requests.
The vulnerability exists due to improper neutralization of CRLF sequences in DefaultHttpRequest.setUri() and DefaultFullHttpRequest.setUri() when encoding attacker-controlled URIs into request lines through HttpRequestEncoder or RtspEncoder. A remote attacker can supply a specially crafted URI containing CRLF sequences to inject additional HTTP or RTSP requests.
Exploitation requires an application to create the request object first, later modify it through setUri(), and then serialize it with HttpRequestEncoder or RtspEncoder.
2) HTTP response splitting (CVE-ID: CVE-2026-42578)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into CONNECT proxy requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in io.netty.handler.proxy.HttpProxyHandler newInitialMessage() when handling user-influenced outbound headers. A remote attacker can supply crafted header values containing CRLF sequences to inject arbitrary HTTP headers into CONNECT proxy requests.
Exploitation requires an application to use HttpProxyHandler with user-influenced outboundHeaders without performing its own CRLF sanitization.
3) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42579)
CWE-ID: CWE-626 - Null Byte Interaction Error (Poison Null Byte)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass domain validation and poison DNS caches.
The vulnerability exists due to improper input validation in io.netty.handler.codec.dns.DnsCodecUtil encodeDomainName() when encoding user-influenced domain names. A remote attacker can supply a crafted domain name containing null bytes, overlength labels, or empty labels to bypass domain validation and poison DNS caches.
The issue affects the encoder path and relies on applications using user-influenced hostnames to construct DNS queries.
4) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42580)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize when parsing chunked HTTP requests. A remote attacker can send a specially crafted chunked request to inject arbitrary HTTP requests.
5) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42581)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform request smuggling.
The vulnerability exists due to improper input validation in HttpObjectDecoder when processing HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. A remote attacker can send a specially crafted HTTP/1.0 request to perform request smuggling.
Exploitation requires Netty to be deployed behind a downstream proxy or handler that trusts Content-Length over Transfer-Encoding.
6) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-42582)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral when decoding HTTP/3 QPACK literal header fields. A remote attacker can send a specially crafted HTTP/3 HEADERS frame to cause a denial of service.
The issue occurs in the non-Huffman decoding branch before the claimed literal length is verified against the available bytes in the compressed field section.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42583)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in io.netty.handler.codec.compression.Lz4FrameDecoder#decode when processing crafted LZ4 frames. A remote attacker can send a specially crafted compressed frame header and payload to cause a denial of service.
On the compressed path, header fields are trusted for sizing, allowing a small request to force allocation of a much larger ByteBuf.
8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42584)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disrupt HTTP parsing integrity and availability on the connection.
The vulnerability exists due to inconsistent interpretation of HTTP responses in HttpClientCodec when processing pipelined HTTP/1.1 responses that include a 1xx response before a GET response body and a subsequent HEAD response. A remote attacker can send a specially crafted sequence of HTTP responses to disrupt HTTP parsing integrity and availability on the connection.
Exploitation requires HTTP/1.1 pipelining, a HEAD request in the pipeline, and a server response sequence that includes a 1xx response.
9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.
Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.
10) CRLF injection (CVE-ID: CVE-2026-42586)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to inject Redis commands or poison Redis responses.
The vulnerability exists due to improper neutralization of CRLF sequences in io.netty.handler.codec.redis.RedisEncoder when encoding user-controlled Redis message content. A remote attacker can supply crafted content containing CRLF characters to inject Redis commands or poison Redis responses.
The issue affects inline command mode and simple string or error response types, while RESP array format with binary-safe length-prefixed encoding is not affected.
11) Resource exhaustion (CVE-ID: CVE-2026-42587)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.
The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.
12) Resource exhaustion (CVE-ID: CVE-2026-44248)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in MqttDecoder when parsing MQTT 5 header Properties sections. A remote attacker can send a specially crafted MQTT message with an enormous Properties section to cause a denial of service.
The issue can lead to high CPU and memory usage because the Properties section is parsed and buffered before message size limits are applied, and repeated re-parsing occurs due to ReplayingDecoder behavior.
Remediation
Install update from vendor's website.