CVE-2026-41207

216.73.216.36

· Published 04/06/2026 18:16 · Modified 05/06/2026 21:01

Labels: CVE-2026-41207 2026-06-04 CVE-2026-41207 CWE-330 [email protected]

Essential information

Published: 04/06/2026 18:16
Modified: 05/06/2026 21:01
Author: —
Creator: —
CVSS: 6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
netty / netty-incubator-codec-ohttp	`cpe:2.3:a:netty:netty-incubator-codec-ohttp::::::::`