VYPR
Medium severity5.3GHSA Advisory· Published Jun 4, 2026· Updated Jun 5, 2026

CVE-2026-41207

CVE-2026-41207

Description

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.netty.incubator:netty-incubator-codec-ohttpMaven
< 0.0.21.Final0.0.21.Final

Affected products

2
  • < 0.0.21.Final+ 1 more
    • (no CPE)range: < 0.0.21.Final
    • cpe:2.3:a:netty:netty-incubator-codec-ohttp:*:*:*:*:*:*:*:*range: <0.0.21

Patches

Vulnerability mechanics

References

4

News mentions

1