DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48480: CVE-2026-48480: Undetected Stream Truncation in netty-incubator-codec-ohttp

#security #cve #cybersecurity

CVE-2026-48480: Undetected Stream Truncation in netty-incubator-codec-ohttp

Vulnerability ID: CVE-2026-48480
CVSS Score: 6.6
Published: 2026-06-23

The Netty incubator codec for Oblivious HTTP (OHTTP) fails to verify that a cryptographically signed final chunk is received before the outer HTTP body terminates. This missing validation allows an on-path adversary to truncate chunked-OHTTP messages cleanly at a non-final chunk boundary, leading to undetected data truncation and compromising message integrity. The vulnerability affects multiple versions of the maven package io.netty.incubator:netty-incubator-codec-ohttp prior to 0.0.22.Final.

TL;DR

An on-path adversary can cleanly truncate a chunked-OHTTP stream at a non-final chunk boundary, bypassing integrity checks without triggering decryption errors or application exceptions.

Technical Details

  • CWE ID: CWE-325
  • Vulnerability Type: Missing Cryptographic Step
  • Attack Vector: Network (AV:N)
  • CVSS v4.0: 6.6 (Medium)
  • EPSS Score: 0.00167
  • Exploit Status: PoC / Test-Only
  • CISA KEV Status: Not Listed

Affected Systems

  • io.netty.incubator:netty-incubator-codec-ohttp
  • netty-incubator-codec-ohttp: < 0.0.22.Final (Fixed in: 0.0.22.Final)

Code Analysis

Commit: 28f977f

Ensure that once the outer body is complete we also received the final chunk

@@ -172,13 +172,18 @@ public void parse(ByteBufAllocator alloc, ByteBuf in, boolean completeBodyReceiv
                 return;
             }
         }
+        boolean finalChunk = false;
         while (in.isReadable()) {
             ChunkInfo chunkInfo = parseNextChunk(in, completeBodyReceived, maxChunkSize);
             if (chunkInfo == null) {
                 break;
             }
+            finalChunk |= chunkInfo.isFinal;
             decoder.decodeChunk(alloc, in, chunkInfo.length, chunkInfo.isFinal, out);
         }
+        if (completeBodyReceived && !finalChunk) {
+            throw new CorruptedFrameException("OHTTP stream ended without a final chunk");
+        }
     }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade netty-incubator-codec-ohttp to version 0.0.22.Final or higher.
  • Implement log monitoring for CorruptedFrameException indicating OHTTP stream truncation.
  • Enforce strict validation of message lengths at the application layer where possible.

Remediation Steps:

  1. Identify all Maven dependencies referencing io.netty.incubator:netty-incubator-codec-ohttp.
  2. Update the dependency version in pom.xml to 0.0.22.Final.
  3. Rebuild and redeploy the affected applications.

Read the full report for CVE-2026-48480 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)