CVE-2026-50020— Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50020
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Source: NVD (National Vulnerability Database)
Vulnerability Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-50020
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-50020
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-50020 (1)
Vendor Pages for CVE-2026-50020 (2)
Same Patch Batch · netty · 2026-06-12 · 19 CVEs total
| CVE-2026-45674 | 8.7 HIGH | Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records |
| CVE-2026-47691 | 8.7 HIGH | Netty has Insufficient Bailiwick Validation for NS Records |
| CVE-2026-44892 | 7.5 HIGH | Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounde |
| CVE-2026-44894 | 7.5 HIGH | Netty's Default QUIC token handler accepts any client-supplied token |
| CVE-2026-44893 | 7.5 HIGH | Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length |
| CVE-2026-46340 | 7.5 HIGH | Netty: SCTP reassembly nests buffers without bound |
| CVE-2026-50011 | 7.5 HIGH | Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length |
| CVE-2026-50010 | 7.5 HIGH | Netty's wrapping plain trust manager silently disables hostname verification |
| CVE-2026-48748 | 7.5 HIGH | Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion |
| CVE-2026-45416 | 7.5 HIGH | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes |
| CVE-2026-45673 | 6.8 MEDIUM | Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port |
| CVE-2026-48043 | 5.3 MEDIUM | netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Lea |
| CVE-2026-47244 | 5.3 MEDIUM | Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced |
| CVE-2026-50009 | 4.8 MEDIUM | Netty QUIC stateless reset token material exposed through header-visible connection IDs |
| CVE-2026-45536 | 4.0 MEDIUM | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once |
| CVE-2026-48006 | Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator | |
| CVE-2026-50560 | Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature | |
| CVE-2026-48059 | Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memo |
IV. Related Vulnerabilities
Same product: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he - CVE-2026-48748
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
Same vendor: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he - CVE-2026-48748
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
Same weakness: CWE-444
- CVE-2026-6338
HTTP request smuggling in Kong Enteprise Gateway - CVE-2026-41853
Spring Framework Multipart Request Smuggling in Spring MVC a - CVE-2026-44546
Header injection via WebSocket upgrade parser differential a - CVE-2026-50052
Varnish Cache和Vinyl Cache 环境问题漏洞 - CVE-2026-49753
HTTP response smuggling in Mint HTTP/1 client via lenient Co
V. Comments for CVE-2026-50020
No comments yet