CVE-2026-41207
Description
The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty.incubator:netty-incubator-codec-ohttpMaven | < 0.0.21.Final | 0.0.21.Final |
Affected products
2< 0.0.21.Final+ 1 more
- (no CPE)range: < 0.0.21.Final
- cpe:2.3:a:netty:netty-incubator-codec-ohttp:*:*:*:*:*:*:*:*range: <0.0.21
Patches
Vulnerability mechanics
References
4- github.com/netty/netty-incubator-codec-ohttp/commit/3d3b4e527fc82ad0fe3db1af951ffd0ec9a10680nvdPatchWEB
- github.com/advisories/GHSA-f659-372h-6x3xghsaADVISORY
- github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f659-372h-6x3xnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41207ghsaADVISORY
News mentions
1- Netty Incubator Codec BHTTP: Three Medium Severity Flaws Disclosed TogetherVypr Intelligence · Jun 4, 2026