CVE-2026-48480

June 5, 2026, 4 p.m.

6.6
Medium

Description

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue.

Product(s) Impacted

Vendor Product Versions
Netty
  • Codec.bhttp
  • <0.0.22.Final

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-325
Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a netty codec.bhttp <0.0.22.Final / / / / / /

References

https://github.com/netty/netty-incubator-codec-ohttp/commit/28f977f293591a4e837bd59ceb441f9f70349915
https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-r6fj-869h-4f6q

Tags

[email protected]
CWE-325
2026-06-04
CVE-2026-48480

CVSS Score

6.6 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: UNREPORTED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 4, 2026, 7:16 p.m.
Last Modified: June 5, 2026, 4 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.