Skip navigation

Netty 4.2.15.Final released

by chrisvest
on

We are happy to announce the release of netty 4.2.15.Final. This is a bug-fix and security release.

We strongly recommend upgrading to this version to get the following security fixes:

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-XXXXX: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

Other significant changes are:

  • Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup #16836
  • HTTP/2: Parse request-target path like Vert.x #16810
  • ChannelInitializer: correct misleading comment on exceptionCaught route #16853
  • FlowControlHandler: Suppress duplicate channelReadComplete after draining queue #16837
  • Pass maxAllocation to Brotli and Zstd decoders #16844
  • Add maxWindowLog parameter to ZstdDecoder to bound memory allocation #16850
  • MQTT: Reject malformed no-payload packets with non-zero Remaining Length #16890

For more details please see the complete release notes: https://github.com/netty/netty/releases/tag/netty-4.2.15.Final

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.