CVE-2026-48040
Memory Corruption in Netty Incubator Codec BHTTP
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netty | codec.bhttp | to 0.0.22.final (exc) |
| netty | netty-incubator-codec-ohttp | 0.0.22.Final |
| netty | netty-incubator-codec-ohttp | to 0.0.22.Final (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48040 is a vulnerability in the netty incubator codec.bhttp library, which is a Java binary HTTP parser implementing Oblivious HTTP using BoringSSL's HPKE via JNI. The issue occurs in versions prior to 0.0.22.Final when the JVM configuration disables or restricts access to sun.misc.Unsafe, causing Netty to use a fallback path for direct ByteBufs that do not expose their memory address.
Under these conditions, an unauthenticated network attacker can send specially crafted OHTTP requests that trigger cryptographic operations, leading to memory corruption in other concurrent connections. This corruption can cause disclosure of the contents of adjacent pooled direct buffers, including encryption keys, violating the confidentiality and integrity of all connections sharing the same Netty buffer arena.
The vulnerability is fixed in version 0.0.22.Final.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts. An unauthenticated attacker can exploit it remotely to corrupt memory of other concurrent connections and disclose sensitive data from adjacent memory buffers.
Because the attacker can obtain encryption keys through this memory disclosure, they can decrypt leaked data, compromising the confidentiality and integrity of all affected connections sharing the same Netty buffer arena.
This means sensitive information transmitted over these connections could be exposed to attackers, potentially leading to data breaches or unauthorized data access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the netty-incubator-codec-ohttp library to version 0.0.22.Final or later, where the issue has been fixed.
Additionally, avoid running the JVM with the flag -Dio.netty.noUnsafe=true or configurations that restrict access to sun.misc.Unsafe, such as SecurityManager restrictions or non-HotSpot JVMs, since these trigger the vulnerable fallback path.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability compromises the confidentiality and integrity of all connections sharing the same Netty buffer arena by allowing an unauthenticated attacker to disclose sensitive data, including encryption keys and adjacent buffer contents.
Such a breach of confidentiality and integrity could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information against unauthorized access and disclosure.