Netty Netty-incubator-codec-ohttp — known CVE vulnerabilities
Every CVE whose affected-product data names Netty Netty-incubator-codec-ohttp, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (4)
CVE-2026-48040 — CVSS 9.1 (critical): The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's…
CVE-2024-40642 — CVSS 8.1 (high): The netty incubator codec.bhttp is a java language binary http parser. In affected versions the `BinaryHttpParser` class does not properly…
CVE-2024-36121 — CVSS 5.9 (medium): netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been…
CVE-2026-41207 — CVSS 5.3 (medium): The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on…