VYPR
advisoryPublished Jun 4, 2026· 1 source

Netty Incubator Codec BHTTP: Three Medium Severity Flaws Disclosed Together

Key findings • Three medium-severity vulnerabilities disclosed in Netty's incubator codec.bhttp. • Flaws impact Oblivious HTTP (OHTTP) implementation and cryptographic operations. • CVE-2…

Key findings

  • Three medium-severity vulnerabilities disclosed in Netty's incubator codec.bhttp.
  • Flaws impact Oblivious HTTP (OHTTP) implementation and cryptographic operations.
  • CVE-2026-48480: Missing verification of signed final chunk in OHTTP.
  • CVE-2026-48040: Improper exposure of native memory addresses for crypto ops.
  • CVE-2026-41207: HKDF_expand function returns zeroed data on failure.
  • Patched versions are 0.0.22.Final for CVE-2026-48480 and CVE-2026-48040, and 0.0.21.Final for CVE-2026-41207.

On June 4, 2026, a cluster of three medium-severity vulnerabilities was disclosed in the Netty Incubator's codec.bhttp Java binary HTTP parser. These issues primarily affect the implementation of Oblivious HTTP (OHTTP), as defined in RFC 9458, and stem from flaws in cryptographic operations and data handling.

The vulnerabilities, all disclosed within a one-hour window, highlight potential weaknesses in how the library processes signed chunks and derives cryptographic keys.

CVE-2026-48480 addresses a critical oversight in the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp. Prior to version 0.0.22.Final, the parser did not adequately verify that a cryptographically-signed final chunk was received before terminating the outer HTTP body. This could allow an on-path adversary, such as an OHTTP relay, to potentially manipulate or intercept data by exploiting this lack of verification.

Another vulnerability, CVE-2026-48040, also impacts the OHTTP implementation which relies on BoringSSL's HPKE C library via JNI. This flaw exists in the fallback path for direct ByteBufs used when deriving native memory addresses for cryptographic operations. Versions prior to 0.0.22.Final do not properly expose these memory addresses, potentially leading to insecure cryptographic operations or memory-related issues.

The third vulnerability, CVE-2026-41207, concerns the HKDF_expand function within the codec.bhttp component. Prior to version 0.0.21.Final, this function could return a non-NULL value even when an error occurred during the expansion process. The returned byte array was filled with zeros, making it indistinguishable from a successful operation. Since this output is used as key material for the response AEAD, a silent failure in HKDF_expand could lead to the use of weak or predictable keys, compromising the security of encrypted communications.

All three vulnerabilities have been addressed in version 0.0.22.Final of the codec.bhttp component, with CVE-2026-41207 specifically being fixed in version 0.0.21.Final. Users of Netty's incubator codec.bhttp are strongly advised to update to the patched versions to mitigate these risks. The timely disclosure and patching of these issues by the Netty team underscore the importance of continuous security auditing for complex network protocol implementations.

Synthesized by Vypr AI