{"id":"CVE-2026-41207","summary":"netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures","details":"The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a  failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...).  A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue.","aliases":["GHSA-f659-372h-6x3x"],"modified":"2026-06-18T03:57:18.715540332Z","published":"2026-06-04T17:22:35.742Z","database_specific":{"cwe_ids":["CWE-330"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41207.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41207.json"},{"type":"ADVISORY","url":"https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f659-372h-6x3x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41207"},{"type":"FIX","url":"https://github.com/netty/netty-incubator-codec-ohttp/commit/3d3b4e527fc82ad0fe3db1af951ffd0ec9a10680"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty-incubator-codec-ohttp","events":[{"introduced":"0"},{"fixed":"1e13447342d7d8174fb2c6b015d7db7e822fd531"},{"fixed":"3d3b4e527fc82ad0fe3db1af951ffd0ec9a10680"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.0.21"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:netty:netty-incubator-codec-ohttp:*:*:*:*:*:*:*:*"}}],"versions":["netty-incubator-codec-parent-ohttp-0.0.20.Final","netty-incubator-codec-parent-ohttp-0.0.19.Final","netty-incubator-codec-parent-ohttp-0.0.18.Final","netty-incubator-codec-parent-ohttp-0.0.17.Final","netty-incubator-codec-parent-ohttp-0.0.16.Final","netty-incubator-codec-parent-ohttp-0.0.15.Final","netty-incubator-codec-parent-ohttp-0.0.14.Final","netty-incubator-codec-parent-ohttp-0.0.13.Final","netty-incubator-codec-parent-ohttp-0.0.12.Final","netty-incubator-codec-parent-ohttp-0.0.11.Final","netty-incubator-codec-parent-ohttp-0.0.10.Final","netty-incubator-codec-parent-ohttp-0.0.9.Final","netty-incubator-codec-parent-ohttp-0.0.8.Final","netty-incubator-codec-parent-ohttp-0.0.7.Final","netty-incubator-codec-parent-ohttp-0.0.6.Final","netty-incubator-codec-parent-ohttp-0.0.5.Final","netty-incubator-codec-parent-ohttp-0.0.4.Final","netty-incubator-codec-parent-ohttp-0.0.3.Final","netty-incubator-codec-parent-ohttp-0.0.2.Final","netty-incubator-codec-parent-ohttp-0.0.1.Final"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41207.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}