Executive Summary

CVE-2026-48040 is a vulnerability in the netty incubator codec.bhttp library, which is a Java binary HTTP parser implementing Oblivious HTTP using BoringSSL's HPKE via JNI. The issue occurs in versions prior to 0.0.22.Final when the JVM configuration disables or restricts access to sun.misc.Unsafe, causing Netty to use a fallback path for direct ByteBufs that do not expose their memory address.

Under these conditions, an unauthenticated network attacker can send specially crafted OHTTP requests that trigger cryptographic operations, leading to memory corruption in other concurrent connections. This corruption can cause disclosure of the contents of adjacent pooled direct buffers, including encryption keys, violating the confidentiality and integrity of all connections sharing the same Netty buffer arena.

The vulnerability is fixed in version 0.0.22.Final.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts. An unauthenticated attacker can exploit it remotely to corrupt memory of other concurrent connections and disclose sensitive data from adjacent memory buffers.

Because the attacker can obtain encryption keys through this memory disclosure, they can decrypt leaked data, compromising the confidentiality and integrity of all affected connections sharing the same Netty buffer arena.

This means sensitive information transmitted over these connections could be exposed to attackers, potentially leading to data breaches or unauthorized data access.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the netty-incubator-codec-ohttp library to version 0.0.22.Final or later, where the issue has been fixed.

Additionally, avoid running the JVM with the flag -Dio.netty.noUnsafe=true or configurations that restrict access to sun.misc.Unsafe, such as SecurityManager restrictions or non-HotSpot JVMs, since these trigger the vulnerable fallback path.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability compromises the confidentiality and integrity of all connections sharing the same Netty buffer arena by allowing an unauthenticated attacker to disclose sensitive data, including encryption keys and adjacent buffer contents.

Such a breach of confidentiality and integrity could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information against unauthorized access and disclosure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs in versions of netty-incubator-codec-ohttp prior to 0.0.22.Final when the JVM is configured to disable Unsafe access (e.g., with the JVM option -Dio.netty.noUnsafe=true) or when running under a SecurityManager restricting Unsafe, or on non-HotSpot JVMs.

To detect if your system is vulnerable, you should first verify the version of netty-incubator-codec-ohttp in use and check the JVM startup parameters for the presence of -Dio.netty.noUnsafe=true or similar restrictions on Unsafe.

Suggested commands to detect vulnerability presence:

• Check the netty-incubator-codec-ohttp version in your application dependencies or runtime environment to confirm if it is prior to 0.0.22.Final.
• Inspect JVM startup parameters for Unsafe restrictions: run `ps aux | grep java` (Linux/macOS) or check service configurations to see if `-Dio.netty.noUnsafe=true` is set.
• If you have access to the running JVM, you can query system properties with a command like `jcmd <pid> VM.system_properties` or use a Java diagnostic tool to check for the `io.netty.noUnsafe` property.

Network detection of exploitation attempts would require monitoring for crafted Oblivious HTTP (OHTTP) requests triggering cryptographic operations, but no specific detection commands or signatures are provided in the available resources.

Useful 0 Not Useful 0