CVE-2026-42582: Netty QpackDecoder Vulnerability Exposes Apps to DoS

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-770cwe-789
CVE-2026-42582: Netty QpackDecoder Vulnerability Exposes Apps to DoS

The National Vulnerability Database has issued an advisory for CVE-2026-42582, impacting Netty, an asynchronous network application framework. The vulnerability exists in Netty versions prior to 4.2.13.Final, specifically within the QpackDecoder when handling HTTP/3 header blocks. A flaw in the decodeHuffmanEncodedLiteral function allows an attacker to craft a malicious string literal with an arbitrarily large length value.

This critical oversight means the application attempts to allocate a byte array of the specified, unverified length before checking if the corresponding data actually exists in the compressed field section. The wire encoding permits expressing an extremely large length using very few bytes. This can lead to excessive memory allocation requests, consuming system resources and triggering a denial-of-service (DoS) condition on the affected server.

The National Vulnerability Database rates this with a CVSS score of 7.5 (HIGH), categorizing it under CWE-770 (Improper Restriction of Resource from One-Time Operations) and CWE-789 (Uncontrolled Memory Allocation). The fix is available in Netty version 4.2.13.Final, and immediate patching is crucial for any application leveraging Netty for network communication.

What This Means For You

  • If your applications or services rely on Netty, you are exposed to a remote denial-of-service attack. This isn't just a theoretical bug; an unauthenticated attacker can crash your service. You need to identify all instances of Netty in your environment and prioritize upgrading to version 4.2.13.Final or later immediately. Check your dependencies for Netty and push for patches.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-42582

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-42582
id: scw-2026-05-13-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-42582 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42582/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-42582

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42582 Denial of Service Netty framework versions prior to 4.2.13.Final
CVE-2026-42582 Memory Corruption io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral
CVE-2026-42582 Buffer Overflow Lack of length validation (length <= in.readableBytes()) before new byte[length] in QpackDecoder

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma