CVE-2026-48480: Undetected Stream Truncation in netty-incubator-codec-ohttp

Chunked Oblivious HTTP (OHTTP) specifies a mechanism for routing encrypted HTTP messages through intermediate relays while preserving sender privacy. In this architecture, messages are segmented into a sequence of cryptographically encapsulated chunks. The protocol relies on a dedicated end-of-stream flag inside the final chunk to assert message completeness and protect against unauthorized stream truncation by intermediate transport layers.

Prior to version 0.0.22.Final, the netty-incubator-codec-ohttp component failed to verify the presence of this final chunk flag before declaring a stream successfully processed. This vulnerability is classified as CWE-325: Missing Cryptographic Step. It allows an adversary to manipulate the boundaries of OHTTP communications without triggering parser-level exceptions.

Because the OHTTP layer did not cross-reference the transport layer's termination state with the cryptographic payload's internal structure, the receiving application would process incomplete payloads as if they were fully transmitted. This compromises message integrity and enables silent denial-of-service or information omission attacks. The vulnerability is especially critical in secure proxies or privacy-centric routing services.

The vulnerability stems from a lack of state enforcement within the chunk parsing loop of OHttpVersionChunkDraft.java. The parse method is designed to iterate through incoming bytes, reconstructing individual chunk frames via parseNextChunk and decoding them sequentially. However, the parser lacked tracking logic to monitor whether any of the parsed chunk frames possessed the isFinal attribute set to true.

When the underlying transport layer completes transmission, it signals the parser by setting the completeBodyReceived flag to true. In vulnerable versions, receiving this signal caused the parser to conclude processing immediately upon consuming the current buffer, regardless of whether a terminal cryptographic chunk had been resolved. The parser assumed that any clean termination of the transport envelope equated to a complete and correct transmission of the cryptographic stream.

An on-path adversary can exploit this design flaw by terminating the TCP connection or ending the HTTP/2 frame sequence early. If the truncation is performed cleanly at a non-final chunk boundary, the parser handles the truncated stream successfully. The absence of a post-decryption validation step prevents the engine from realizing that subsequent chunks were omitted by the sender or dropped in transit. This omission bypasses the designed cryptographic integrity verification.

An analysis of the patch committed to the Netty project repository reveals the introduction of explicit state tracking for the final-chunk marker. The revised method signature and decoding loop maintain a local boolean state across the parsing execution. If the transport layer reports complete body reception but the final-chunk state is false, the parser now raises a CorruptedFrameException.

Below is the comparison of the code paths within the parse method of OHttpVersionChunkDraft.java before and after remediation:

// Vulnerable Implementation
public void parse(ByteBufAllocator alloc, ByteBuf in, boolean completeBodyReceived, Decoder decoder, List<Object> out) {
    // ... 
    while (in.isReadable()) {
        ChunkInfo chunkInfo = parseNextChunk(in, completeBodyReceived, maxChunkSize);
        if (chunkInfo == null) {
            break;
        }
        decoder.decodeChunk(alloc, in, chunkInfo.length, chunkInfo.isFinal, out);
    }
    // No validation of chunkInfo.isFinal against completeBodyReceived exists here
}

// Patched Implementation
public void parse(ByteBufAllocator alloc, ByteBuf in, boolean completeBodyReceived, Decoder decoder, List<Object> out) {
    // ...
    boolean finalChunk = false; // Added to track final chunk presence
    while (in.isReadable()) {
        ChunkInfo chunkInfo = parseNextChunk(in, completeBodyReceived, maxChunkSize);
        if (chunkInfo == null) {
            break;
        }
        finalChunk |= chunkInfo.isFinal; // Accumulate final chunk flag using bitwise OR
        decoder.decodeChunk(alloc, in, chunkInfo.length, chunkInfo.isFinal, out);
    }
    // Enforce that complete transport body corresponds to a complete cryptographic body
    if (completeBodyReceived && !finalChunk) {
        throw new CorruptedFrameException("OHTTP stream ended without a final chunk");
    }
}

While this fix prevents truncation when a transport stream finishes, security teams should evaluate caller behavior. Because finalChunk is maintained as a local variable within a single execution of the parse method, state preservation depends on the upstream handler correctly accumulating buffers across fragmented TCP packets before calling the parser with completeBodyReceived set to true. If a caller calls parse with completeBodyReceived set to true on an empty buffer invocation, the local finalChunk evaluates to false and triggers an exception. Developers must ensure correct usage of the parser interface in customized pipeline configurations.

To successfully execute this attack, the adversary must reside on-path between the client and the gateway, such as functioning as the OHTTP Relay or intercepting transport-layer communications as a machine-in-the-middle (MITM). No prior authentication credentials or specialized configuration parameters are required.

The attack begins when a target client initiates a multi-chunk OHTTP transaction, sending a sequence of encapsulated payloads. The attacker intercepts the transmission and identifies the target boundary to truncate, deciding which chunks to forward and which to discard. The adversary forwards only the initial chunks and drops all subsequent chunks, including the cryptographically signed final chunk.

Immediately after transmitting the truncated prefix, the attacker cleanly terminates the outer HTTP transport layer, sending a proper TCP FIN segment or an HTTP/2 END_STREAM flag. The receiving OHTTP gateway receives the clean connection closure, flags completeBodyReceived as true, and processes the partial chunks successfully. The application processes the incomplete data payload without throwing a cryptographic decryption exception or signaling an integrity failure. This enables clean manipulation of message content at the boundary of a chunk.

The security impact of CVE-2026-48480 centers on the loss of message integrity within secure communication systems utilizing OHTTP. Because OHTTP is typically deployed in privacy-sensitive environments to proxy DNS queries, telemetry data, or secure API payloads, the silent truncation of these streams can have significant operational consequences.

For example, an attacker could truncate an administrative telemetry upload to omit critical security alerts or system status events. In application protocols where the receiver assumes the completeness of a message based on parser completion, the truncated stream might be parsed as a shorter, valid message, leading to execution state mismatches or logic bypasses.

The vulnerability is assigned a CVSS v4.0 base score of 6.6, indicating medium severity. The attack vector is Network (AV:N), and the attack complexity is Low (AC:L). Although confidentiality is unaffected, the integrity impact is rated as High (VI:H) because the application layer has no cryptographically sound mechanism to detect data loss in vulnerable versions. This can cause applications to operate on incomplete and potentially misleading information.

The primary remediation path is upgrading the io.netty.incubator:netty-incubator-codec-ohttp dependency to version 0.0.22.Final or later. This release introduces the finalChunk check within the OHTTP frame parser, which successfully aborts processing with a CorruptedFrameException if truncation is detected.

In scenarios where immediate patching of the runtime binaries is not feasible, organizations should implement deep packet inspection or application-layer length validations where possible. If the application payload contains an internal length field or structured schema (such as JSON or Protobuf), the receiver should explicitly validate that the deserialized object matches the expected structure and length before execution.

Additionally, security teams should monitor application-level exception logs. The appearance of io.netty.handler.codec.CorruptedFrameException: OHTTP stream ended without a final chunk should be aggregated and alerted on, as it indicates either a misconfigured transport layer or an active attempt to truncate secure OHTTP message streams. System administrators should configure perimeter filters to drop connections from relays showing high rates of abrupt closures.