We are happy to announce the release of netty 4.2.13.Final. This is a bug-fix and security release that fixes numerous security issues.

We strongly recommend upgrading to this version to get the following security fixes:

• CVE-2026-42586 (netty-codec-redis)
• CVE-2026-42578 (netty-handler-proxy)
• CVE-2026-42577 (netty-transport-native-epoll)
• CVE-2026-42587 (netty-codec-http, netty-codec-http2)
• CVE-2026-41417 (netty-codec-http)
• CVE-2026-42581 (netty-codec-http)
• CVE-2026-42580 (netty-codec-http)
• CVE-2026-42585 (netty-codec-http)
• CVE-2026-42579 (netty-codec-dns)
• CVE-2026-42582 (netty-codec-http3)
• CVE-2026-42583 (netty-codec, netty-codec-compression)
• CVE-2026-42584 (netty-codec-http)
• CVE-2026-44248 (netty-codec-mqtt)

Other significant changes are:

• Kqueue: sendfile EINTR doesn't advance offset — data duplication #16544
• Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext #16545
• Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat #16543
• Avoid leak in PemReader on OutOfDirectMemoryError #16551
• Include user properties and subscription IDs in MqttProperties#isEmpty #16575
• Native DNS resolver: Guard against malloc failures #16559
• Fix parsing HTTP chunks with multiple extensions #16579
• Native transports: Correctly create pipe when pipe2 is not supported #16592
• Fix buffer component search fast path #16548
• Quic: Correctly handle SSL_CTX_new failures #16622
• Make LocalIoHandle public #16621
• Quic: Fix shadowing of variable which leads to incorrectly handling errors #16623
• Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter #16629
• Fix shutdownInput bug in kqueue for empty recv buffer #16630
• Fix FFM address semantics in directBufferAddress #16603
• HTTP2: Ensure HTTP2 preface is always send as first message #16636
• Kqueue: Fix usage of LOCAL_PEERPID #16637
• Fix file descriptor reuse bug in kqueue #16650
• HTTP2: Ensure HTTP2 preface is always send as first message (also on the server) #16667
• Fix IllegalReferenceCountException in AdaptiveByteBuf.deallocate() #16654
• Add generic FileRegion support in io_uring stream channel #16571
• Deprecate ObjectCleaner and remove usage #16685
• Update to netty-tcnative 2.0.77.Final #16687
• Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null #16702
• Avoid NPE in JdkSslServerContext when TrustManagerFactory returns null #16700
• Epoll: Correctly delete fd from epoll if there is nothing to handle #16689
• Epoll: Use correct initial EpollIoOps #16728

For more details please see the complete release notes: https://github.com/netty/netty/releases/tag/netty-4.2.13.Final

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chrisvest
• @gzsombor
• @normanmaurer
• @rdicroce
• @LuciferYang
• @doom369
• @raipc
• @yawkat
• @laosijikaichele
• @ShadowySpirits
• @dreamlike-ocean
• @Songdoeon
• @fru1tworld