CVE-2026-42584: Netty HTTP/2 Handling Vulnerability Exposes Data Corruption

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-444
CVE-2026-42584: Netty HTTP/2 Handling Vulnerability Exposes Data Corruption

The National Vulnerability Database has detailed CVE-2026-42584, a high-severity vulnerability (CVSS 7.3) affecting Netty, an asynchronous network application framework. The flaw resides in HttpClientCodec where an incorrect pairing of inbound HTTP responses with outbound requests can occur, specifically when 1xx informational responses are involved.

According to the National Vulnerability Database, this issue manifests when a client pipelines requests (e.g., GET then HEAD) and the server sends a 103 informational response followed by a 200 OK for the GET, and then another 200 OK for the HEAD. The HttpClientCodec can incorrectly pair the HEAD request with the first 200 OK, leading the HEAD rule to skip reading the message body. This leaves the GET entity bytes on the stream, causing subsequent responses to be parsed from the wrong offset and potentially corrupting data.

This vulnerability is fixed in Netty versions 4.2.13.Final and 4.1.133.Final. Defenders must understand that this isn’t just a denial-of-service risk; it’s a data integrity nightmare. Misaligned parsing means applications could be processing incorrect or partial data, leading to logical errors, application crashes, or even unexpected behavior that an attacker could potentially exploit for further compromise.

What This Means For You

  • If your organization uses Netty, particularly in HTTP/2 client implementations, you are exposed to potential data corruption and application instability. This isn't theoretical; it's a fundamental parsing flaw. Immediately identify all Netty instances in your environment, prioritize patching to versions 4.2.13.Final or 4.1.133.Final, and review application logs for any anomalies that could indicate incorrect HTTP response handling or data parsing errors.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42584: Netty HTTP/2 Data Corruption Attempt

Sigma YAML — free preview 
title: CVE-2026-42584: Netty HTTP/2 Data Corruption Attempt
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
  This rule detects a specific sequence of HTTP requests (GET followed by HEAD) and a 103 Early Hints status code, which is indicative of the exploitation attempt for CVE-2026-42584. This vulnerability in Netty's HTTP/2 handling can lead to data corruption by mispairing responses with requests, potentially allowing attackers to manipulate data or gain unauthorized access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42584/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'GET'
          - 'HEAD'
      sc-status:
          - '103'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42584 Information Disclosure Netty HttpClientCodec versions prior to 4.2.13.Final
CVE-2026-42584 Information Disclosure Netty HttpClientCodec versions prior to 4.1.133.Final
CVE-2026-42584 Information Disclosure Netty HttpClientCodec incorrect pairing of 1xx responses leading to parsing from wrong offset

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma