We are happy to announce the release of netty 4.1.118.Final. This is a bug-fix release but also fixes a (critical CVE) in our SSL implementation. Please upgrade as soon as possible if you use our native SSL implementation.

The most important changes are:

• SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine (CVE-2025-24970)
• Denial of Service attack on windows app using Netty, again (CVE-2025-25193)
• Upgrade netty-tcnative to 2.0.70.Final (#14790)
• Fix recycling in CodecOutputList (#14706)
• Allocate bytebuf without magazine lock when threads get collisions (#14594)
• Make StreamBufferingEncoder not send header frame with priority by default (#14732)
• Notify event loop termination future of unexpected exceptions (#14734)
• KQueueEventLoop leaks memory on shutdown (#14745)
• Fix AccessControlException in GlobalEventExecutor (#14743)
• Fix possible buffer leak when stream can't be mapped (#14746)
• AdaptivePoolingAllocator: Round chunk sizes up to MIN_CHUNK_SIZE units and reduce chunk release frequency (#14763)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @adwsingh
• @Akshay-Sundarraj
• @bryce-anderson
• @chrisvest
• @ejona86
• @franz1981
• @He-Pin
• @idelpivnitskiy
• @ivanangelov
• @johnou
• @laosijikaichele
• @normanmaurer
• @reta
• @vietj
• @vio-lin
• @yawkat