NVD CRITICAL: CVE-2026-42584 — Netty is an asynchronous, event-driven network application framework. Prior to 4...

Wednesday, May 13, 2026 at 07:17 PM UTC·Source: NIST NVD

Updated: Monday, May 18, 2026 at 01:00 PM UTC

Executive Summary

Analysis

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. CVSS Score: 7.3. Published: 2026-05-13T19:17:24.043.

Indicators of Compromise (1)

CVE (1)

CVE-2026-42584

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 13, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

Interpol Launches Sweeping Cybercrime Crackdown in MENA Region

Over 200 people were arrested in an anti-cybercrime operation that spanned 13 countries across the Middle East and North Africa

9m agoInfosecurity Magazine

MEDIUMVulnerabilityNEW

Grafana says stolen GitHub token let hackers steal codebase

Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token. [...]

23m agoBleepingComputer

LOWVulnerabilityNEW

CMC Markets launches spread-betting account for retail clients

CMC Markets (“CMC”), a FTSE 250 company and global leader in multi-asset online trading and investing, has launched Spectre for retail clients, following strong demand after the product was initially introduced for professional traders.

27m agoFinextra