CVE-2026-48040: CWE-125: Out-of-bounds Read in netty netty-incubator-codec-ohttp
The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()`. This fallback occurs when `sun.misc.Unsafe` is unavailable to Netty — for example, when the JVM is started with `-Dio.netty.noUnsafe=true`, when a SecurityManager restricts Unsafe access, or when running on non-HotSpot JVMs. In these configurations, Netty's default `PooledByteBufAllocator` returns `PooledDirectByteBuf` instances for which `hasMemoryAddress()` returns false. Under the enabling JVM configuration, an unauthenticated network attacker can cause the OHTTP gateway to corrupt memory belonging to other concurrent connections and disclose the contents of adjacent pooled direct buffers by triggering cryptographic operations with crafted OHTTP requests. The corruption occurs regardless of whether the AEAD tag verification succeeds, as BoringSSL zeroizes the output buffer on failure. The information disclosure path provides the attacker with the encryption key needed to extract the leaked data. This violates the confidentiality and integrity of all connections sharing the same Netty buffer arena. Version 0.0.22.Final fixes the issue.
AI Analysis
Technical Summary
The netty-incubator-codec-ohttp Java library implements Oblivious HTTP using BoringSSL's HPKE via JNI. Versions before 0.0.22.Final have a fallback mechanism for deriving native memory addresses when sun.misc.Unsafe is unavailable (e.g., JVM started with -Dio.netty.noUnsafe=true or restricted by SecurityManager). This fallback incorrectly handles direct ByteBufs without exposed memory addresses, leading to out-of-bounds reads and memory corruption during cryptographic operations. An unauthenticated attacker can exploit this via crafted OHTTP requests to leak sensitive data from adjacent pooled direct buffers, including encryption keys, compromising confidentiality and integrity of all connections sharing the same Netty buffer arena. The vulnerability is addressed in version 0.0.22.Final.
Potential Impact
An unauthenticated remote attacker can cause memory corruption and out-of-bounds reads in the affected Netty library under specific JVM configurations that disable Unsafe access. This results in disclosure of sensitive data from adjacent memory buffers, including encryption keys, violating confidentiality and integrity of all connections using the same buffer arena. The vulnerability does not require user interaction and has a CVSS 4.0 base score of 6.8 (medium severity). There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade to netty-incubator-codec-ohttp version 0.0.22.Final or later, where this vulnerability is fixed. If upgrading is not immediately possible, avoid JVM configurations that disable sun.misc.Unsafe (such as -Dio.netty.noUnsafe=true) or restrict Unsafe access via SecurityManager, as these enable the vulnerable fallback path. Patch status is not explicitly stated beyond the fixed version; therefore, verify with the vendor advisory for any additional remediation guidance.
CVE-2026-48040: CWE-125: Out-of-bounds Read in netty netty-incubator-codec-ohttp
Description
The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()`. This fallback occurs when `sun.misc.Unsafe` is unavailable to Netty — for example, when the JVM is started with `-Dio.netty.noUnsafe=true`, when a SecurityManager restricts Unsafe access, or when running on non-HotSpot JVMs. In these configurations, Netty's default `PooledByteBufAllocator` returns `PooledDirectByteBuf` instances for which `hasMemoryAddress()` returns false. Under the enabling JVM configuration, an unauthenticated network attacker can cause the OHTTP gateway to corrupt memory belonging to other concurrent connections and disclose the contents of adjacent pooled direct buffers by triggering cryptographic operations with crafted OHTTP requests. The corruption occurs regardless of whether the AEAD tag verification succeeds, as BoringSSL zeroizes the output buffer on failure. The information disclosure path provides the attacker with the encryption key needed to extract the leaked data. This violates the confidentiality and integrity of all connections sharing the same Netty buffer arena. Version 0.0.22.Final fixes the issue.
CVSS v4.0
Score 6.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The netty-incubator-codec-ohttp Java library implements Oblivious HTTP using BoringSSL's HPKE via JNI. Versions before 0.0.22.Final have a fallback mechanism for deriving native memory addresses when sun.misc.Unsafe is unavailable (e.g., JVM started with -Dio.netty.noUnsafe=true or restricted by SecurityManager). This fallback incorrectly handles direct ByteBufs without exposed memory addresses, leading to out-of-bounds reads and memory corruption during cryptographic operations. An unauthenticated attacker can exploit this via crafted OHTTP requests to leak sensitive data from adjacent pooled direct buffers, including encryption keys, compromising confidentiality and integrity of all connections sharing the same Netty buffer arena. The vulnerability is addressed in version 0.0.22.Final.
Potential Impact
An unauthenticated remote attacker can cause memory corruption and out-of-bounds reads in the affected Netty library under specific JVM configurations that disable Unsafe access. This results in disclosure of sensitive data from adjacent memory buffers, including encryption keys, violating confidentiality and integrity of all connections using the same buffer arena. The vulnerability does not require user interaction and has a CVSS 4.0 base score of 6.8 (medium severity). There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade to netty-incubator-codec-ohttp version 0.0.22.Final or later, where this vulnerability is fixed. If upgrading is not immediately possible, avoid JVM configurations that disable sun.misc.Unsafe (such as -Dio.netty.noUnsafe=true) or restrict Unsafe access via SecurityManager, as these enable the vulnerable fallback path. Patch status is not explicitly stated beyond the fixed version; therefore, verify with the vendor advisory for any additional remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-20T18:15:53.578Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a21ba77e29bf47b50be4203
Added to database: 6/4/2026, 5:48:39 PM
Last enriched: 6/4/2026, 6:04:07 PM
Last updated: 6/4/2026, 7:46:06 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.