Skip navigation

Netty 4.1.132.Final released

by chrisvest
on

We are happy to announce the release of netty 4.1.132.Final. This is a bug-fix and security-fix release.

The security fixes are:

  • CVE-2026-33871 rated high. This is an HTTP/2 CONTINUATION frame flood Denial of Service vulnerability.
  • CVE-2026-33870 rated high. This is an HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

The most important changes are:

  • Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop (#16248)
  • Make RefCntOpenSslContext.deallocate more robust (#16257)
  • HTTP2: Correctly account for padding when decompress (#16265)
  • Fix high-order bit aliasing in HttpUtil.validateToken (#16303)
  • fix: the precedence of + is higher than >> (#16316)
  • AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() (#16320)
  • AdaptivePoolingAllocator: call unreserveMatchingBuddy(...) if byteBuf initialization failed (#16331)
  • Don't assume CertificateFactory is thread-safe (#16364)
  • Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO_READ=false (#16280)
  • HTTP2: Ensure preface is flushed in all cases (#16432)
  • Fix UnsupportedOperationException in readTrailingHeaders (#16437)
  • Fix client_max_window_bits parameter handling in permessage-deflate extension (#16435)
  • Native transports: Fix possible fd leak when fcntl fails. (#16446)
  • Kqueue: Fix undefined behaviour when GetStringUTFChars fails and SO_ACCEPTFILTER is supported (#16448)
  • Kqueue: Possible overflow when using netty_kqueue_bsdsocket_setAcceptFilter(...) (#16459)
  • Native transports: Fix undefined behaviour when GetStringUTFChars fails while open FD (#16456)
  • Epoll: Add null checks for safety reasons (#16463)
  • Epoll: Use correct value to initialize mmsghdr.msg_namelen (#16467)
  • Epoll: Fix support for IP_RECVORIGDSTADDR (#16468)
  • AdaptivePoolingAllocator: remove ensureAccessible() call in capacity(int) method (#16475)
  • Epoll: setTcpMg5Sig(...) might overflow (#16520)
  • JdkZlibDecoder: accumulate decompressed output before firing channelRead (#16532)
  • Limit the number of Continuation frames per HTTP2 Headers (#13969)
  • Stricter HTTP/1.1 chunk extension parsing (#16537)

For more details please see the complete release notes: https://github.com/netty/netty/releases/tag/netty-4.1.132.Final

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.