Skip navigation

Netty 4.1.135.Final released

by chrisvest
on

We are happy to announce the release of netty 4.1.135.Final. This is a bug-fix and security release.

We strongly recommend upgrading to this version to get the following security fixes:

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

Other significant changes are:

  • MQTT: Allow MQTT 5 CONNECT with password only #16834
  • ChannelInitializer: correct misleading comment on exceptionCaught route #16847
  • HTTP/2: Parse request-target path like Vert.x (4.1 backport) #16856
  • HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted #16861
  • IpSubnetFilter: Correctly handle ipv6 #16860
  • Configurable bound on RedisArrayAggregator #16858
  • Redis: Limit decoded length #16859
  • DNS: Ensure query id is not predictible #16870
  • Wrapping plain trust manager silently disables hostname verification #16868
  • MQTT: Reject malformed no-payload packets with non-zero Remaining Length #16852
  • HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory #16866
  • SSL: Use sane defaults as limits for the client hello length and timeout #16871
  • DNS: Only cache CNAME if part of the queried domain #16873
  • HTTP/2: Enforce max concurrent streams for misbehaving clients #16876
  • Dns: Insufficient Bailiwick Validation for NS Records #16877
  • HTTP2: DelegatingDecompressorFrameListener must release memory in all cases #16880
  • Pass maxAllocation to Brotli and Zstd decoders (#16844) #16886
  • HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory #16883
  • Add maxWindowLog parameter to ZstdDecoder to bound memory allocation #16894
  • HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs #16881
  • Epoll / Kqueue: Correctly handle receive of FD #16872
  • SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments #16875
  • Redis: Correctly release incomplete message on removal when using RedisArrayAggregator #16878
  • Redis: Limit the maximum number of nested arrays #16882

For more details please see the complete release notes.

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.