SB2026061240 - Multiple vulnerabilities in IBM Enterprise Build of Quarkus

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026061240

SB2026061240 - Multiple vulnerabilities in IBM Enterprise Build of Quarkus

Published: June 12, 2026

Security Bulletin ID SB2026061240
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42580)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize when parsing chunked HTTP requests. A remote attacker can send a specially crafted chunked request to inject arbitrary HTTP requests.


2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42581)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform request smuggling.

The vulnerability exists due to improper input validation in HttpObjectDecoder when processing HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. A remote attacker can send a specially crafted HTTP/1.0 request to perform request smuggling.

Exploitation requires Netty to be deployed behind a downstream proxy or handler that trusts Content-Length over Transfer-Encoding.


3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42584)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disrupt HTTP parsing integrity and availability on the connection.

The vulnerability exists due to inconsistent interpretation of HTTP responses in HttpClientCodec when processing pipelined HTTP/1.1 responses that include a 1xx response before a GET response body and a subsequent HEAD response. A remote attacker can send a specially crafted sequence of HTTP responses to disrupt HTTP parsing integrity and availability on the connection.

Exploitation requires HTTP/1.1 pipelining, a HEAD request in the pipeline, and a server response sequence that includes a 1xx response.


4) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.

Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.


5) Resource exhaustion (CVE-ID: CVE-2026-42587)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.

The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.


6) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42579)

CWE-ID: CWE-626 - Null Byte Interaction Error (Poison Null Byte)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass domain validation and poison DNS caches.

The vulnerability exists due to improper input validation in io.netty.handler.codec.dns.DnsCodecUtil encodeDomainName() when encoding user-influenced domain names. A remote attacker can supply a crafted domain name containing null bytes, overlength labels, or empty labels to bypass domain validation and poison DNS caches.

The issue affects the encoder path and relies on applications using user-influenced hostnames to construct DNS queries.


Remediation

Install update from vendor's website.

References