CVE-2026-41207

Published: Giu 04, 2026 Last Modified: Giu 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,9

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.

330

Use of Insufficiently Random Values

Stable

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Other Access Control

Potential Impacts:

Other Bypass Protection Mechanism Gain Privileges Or Assume Identity

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://github.com/netty/netty-incubator-codec-ohttp/commit…

https://github.com/netty/netty-incubator-codec-ohttp/commit/3d3b4e527fc82ad0fe3…

https://github.com/netty/netty-incubator-codec-ohttp/securi…

https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f…

CVE-2026-41207

Description

Use of Insufficiently Random Values

Common Consequences

Applicable Platforms

Iscriviti alla newsletter