We are happy to announce the release of netty 4.2.11.Final. This is a bug-fix and security-fix release.

The security fixes are:

• CVE-2026-33871 rated high. This is an HTTP/2 CONTINUATION frame flood Denial of Service vulnerability.
• CVE-2026-33870 rated high. This is an HTTP/1.1 Request Smuggling vulnerability in chunked encoding parsing.

The most important changes are:

• Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method (#16241)
• Fix high-order bit aliasing in HttpUtil.validateToken (#16279)
• Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO_READ=false (#16401)
• Fix UnsupportedOperationException in readTrailingHeaders (#16412)
• Allocate less in QueryStringDecoder.addParam for typical use case (#16527)
• HTTP2: Correctly account for padding when decompress (#16264)
• HTTP2: Pass the correct number of arguments when logging goaway (#16392)
• HTTP2: Ensure preface is flushed in all cases (#16407)
• Limit the number of Continuation frames per HTTP2 Headers (#16536)
• HTTP3: Allow to support non-standard HTTP3 settings (#16171)
• Fire the QuicChannel datagram extension event before the channel becomes active (#16425)
• Support QuicheQuicSslEngine hostname identification algorithm. (#16426)
• Expose QuicSslContextBuilder::sni (#16178)
• Allow to set destination connection id when creating a client side QuicheChannel (#16286)
• Add javadoc to clarify responsibility of the user when generating the remote connection id (#16293)
• Allocate one large segment and slice for each MsgHdrMemory (#16234)
• Improve multi-byte access performance when UNALIGNED availability is unknown (#16207)
• fix: the precedence of + is higher than >> (#16312)
• AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() (#16309)
• AdaptivePoolingAllocator: call unreserveMatchingBuddy(...) if byteBuf initialization failed (#16327)
• Recycler should not use thread locals unless they get cleaned up (#16315)
• Make unpooled buffers avoid shared arenas (#16443)
• AdaptivePoolingAllocator: remove ensureAccessible() call in capacity(int) method (#16473)
• Log value of io.netty.ignoreExpensiveClean property during initialization (#16479)
• AbstractByteBuf._internalNioBuffer() might throw exception (#16423)
• Eliminate redundant bounds checks in CompositeByteBuf accessors (#16525)
• Avoid unpooled allocator in CloseWebSocketFrame (#16486)
• Fix client_max_window_bits parameter handling in per message-deflate extension (#16424)
• LocalChannel: Remove dependency on SingleThreadEventExecutor (#16393)
• Local transport: shutdown hook should call closeNow to be consistent (#16406)
• Remove unnecessary array access in DefaultAttributeMap.orderedCopyOnInsert (#16386)
• QUIC: Correctly handle selection of alpn protos (#16484)
• QUIC: Correctly handle malloc errors during ssl context creation (#16483)
• QUIC: Don'l leak memory when context is detroyed (#16481)
• Quic: Fix global reference leak (#16480)
• Swap conditions to avoid native (#16389)
• Support boringssl SSLCredential API (#15919)
• Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method (#16242)
• Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine (#16278)
• Don't assume CertificateFactory is thread-safe (#16350)
• Make RefCntOpenSslContext.deallocate more robust (#16253)
• OpenSSL: Don't leak OpenSslKeyManagerProvider on exception (#16337)
• Kqueue: Correctly handle registrations (#16439)
• Kqueue: Correctly use KqueueIoOps.data() when update change list (#16440)
• Kqueue: Fix undefined behaviour when GetStringUTFChars fails and SO_ACCEPTFILTER is supported (#16441)
• Kqueue: Possible overflow when using netty_kqueue_bsdsocket_setAcceptFilter(...) (#16451)
• Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop (#16245)
• Epoll: Fix excessive CPU usage when Channel is only registered but no… (#16250)
• Epoll: Add null checks for safety reasons (#16454)
• Epoll: Use correct value to initialize mmsghdr.msg_namelen (#16460)
• Epoll: Fix support for IP_RECVORIGDSTADDR (#16461)
• Epoll / IoUring: setTcpMg5Sig(...) might overflow (#16511)
• IoUring: Only complete deregistration promise once we received all completions (#16330)
• IoUring: Don't use RDHUP for non stream Channel implementations (#16345)
• IoUring: Fix buffer leak in DatagramChannel implementation when recv operation fails (#16359)
• IoUring: Reduce unnecessary io_uring_enter syscalls on non-blocking path (#16259)
• IoUring: Fix io_uring writev infinite loop on kernels without SENDMSG_ZC support (#16438)
• IoUring: Correctly unregister native functions on OnLoad failure (#16487)
• IoUring: Correctly handle the case when malloc fails during probe (#16501)
• IoUring: Correctly unload native stuff (#16502)
• IoUring: Use correct errno value in exception (#16500)
• IoUring: Use more correct bitmask check (#16507)
• IoUring: Correctly handle return value of sys_io_uring_register(...) while (#16508)
• IoUring: Add NULL check for GetStringUTFChars(...) (#16509)
• Native transports: Fix possible fd leak when fcntl fails. (#16442)
• Native transports: Fix undefined behaviour when GetStringUTFChars fails while open FD (#16450)
• Replace ClosedChannelException with StacklessClosedChannelException (#16506)
• Enforce io.netty.maxDirectMemory accounting on all Java versions (#16489)
• JdkZlibDecoder: accumulate decompressed output before firing channelRead (#16510)

For more details please see the complete release notes: https://github.com/netty/netty/releases/tag/netty-4.2.11.Final

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chrisvest
• @isolated
• @vietj
• @normanmaurer
• @ZeroErrors
• @m1ngyuan
• @doom369
• @cuiweixie
• @furkanvarol
• @adwsingh
• @franz1981
• @jmcrawford45
• @laosijikaichele
• @Munoon
• @dreamlike-ocean
• @Songdoeon
• @j-bahr
• @nikitanagar08