Netty 4.1.133.Final released

by chrisvest
on 04-May-2026

We are happy to announce the release of netty 4.1.133.Final. This is a bug-fix and security release that fixes numerous security issues.

We strongly recommend upgrading to this version to get the following security fixes:

Other significant changes are:

Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat #16539
Kqueue: sendfile EINTR doesn't advance offset — data duplication #16554
Avoid leak in PemReader on OutOfDirectMemoryError #16576
Native DNS resolver: Guard against malloc failures #16584
Include user properties and subscription IDs in MqttProperties#isEmpty #16582
Fix parsing HTTP chunks with multiple extensions #16588
Epoll: Cleanup code to always return negative value on failure #16601
Native transports: Correctly create pipe when pipe2 is not supported #16598
Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter #16558
Fix shutdownInput bug in kqueue for empty recv buffer #16638
Kqueue: Fix usage of LOCAL_PEERPID #16646
HTTP2: Ensure HTTP2 preface is always send as first message #16642
HTTP2: Ensure HTTP2 preface is always send as first message (also on the server) #16675
Deprecate ObjectCleaner and remove usage #16694
Update to netty-tcnative 2.0.77.Final #16695
Avoid NPE in JdkSslServerContext when TrustManagerFactory returns null #16691
Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null #16690
SCTP: Correctly handle SO_BACKLOG #16715

For more details please see the complete release notes: https://github.com/netty/netty/releases/tag/netty-4.2.13.Final

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.