CVE-2026-41207 – netty-incubator-codec-ohttp’s HPKEContext operations may produce empty byte[] on failures

CVE ID :CVE-2026-41207

Published : June 4, 2026, 6:16 p.m. | 16 minutes ago

Description :The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(…). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

Severity: 6.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-50292 – libinput: Arbitrary Root Code Execution via Device Group udev Property Injection

CVE-2026-48040 – netty-incubator-codec-ohttp’s Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access

CVE-2026-25551 – Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service

CVE-2026-25550 – Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service