What is GHSA-f659-372h-6x3x?

GHSA-f659-372h-6x3x is a security advisory published by GitHub Security Advisories with Medium severity. netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures

Which CVE IDs does GHSA-f659-372h-6x3x cover?

GHSA-f659-372h-6x3x covers the following CVE IDs: CVE-2026-41207. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-f659-372h-6x3x?

GHSA-f659-372h-6x3x affects 1 product, including: maven/io.netty.incubator:netty-incubator-codec-ohttp:\u003c 0.0.21.Final.

GHSA-f659-372h-6x3xMedium

netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-41207 →

📋 Description

HKDF_expand: returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key.

When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key.

🎯 Affected products1

maven/io.netty.incubator:netty-incubator-codec-ohttp:< 0.0.21.Final

🔗 References (2)

https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f659-372h-6x3x
https://github.com/advisories/GHSA-f659-372h-6x3x