Netty 4.2.16.Final released
We are happy to announce the release of netty 4.2.16.Final. This is a bug-fix and security release.
We strongly recommend upgrading to this version to get the following security fixes:
- CVE-2026-XXXXX: memory exhaustion in
io.netty:netty-codec-stomp. - CVE-2026-55833: zip bomb in
io.netty:netty-codec-http. - CVE-2026-XXXXX: improper CR/LF neutrolization in
io.netty:netty-codec-http(multipart). - CVE-2026-XXXXX: improper CR/LF neutrolization in
io.netty:netty-codec-haproxy. - CVE-2026-55851: memory exhaustion in
io.netty:netty-codec-haproxy. - CVE-2026-56745: memory exhaustion in
io.netty:netty-codec-http. - CVE-2026-56817: insecure defaults in XML parsing in
io.netty:netty-codec-xml. - CVE-2026-XXXXX: memory exhaustion in
io.netty:netty-codec-http. - CVE-2026-56818: memory leak in
io.netty:netty-codec-redis. - CVE-2026-56819: memory leak in
io.netty:netty-codec-http2. - CVE-2026-56816: memory exhaustion in
io.netty:netty-codec-http3. - CVE-2026-55831: resource exhaustion/DoS in
io.netty:netty-codec-http. - CVE-2026-XXXXX: memory leak in
io.netty:netty-codec-dns. - CVE-2026-XXXXX: infinite loop in
io.netty:netty-codec-compression(bzip2). - CVE-2026-XXXXX: improper header neutralization in
io.netty:netty-codec-http2. - CVE-2026-XXXXX: protocol version confusion in
io.netty:netty-codec-http(websocket). - CVE-2026-56746: improper access control in
io.netty:netty-codec-http(CORS). - CVE-2026-56822: time-of-check/time-of-use in
io.netty:netty-handler-ssl-ocsp. - CVE-2026-XXXXX: uncontrolled resource consumption in
io.netty:netty-codec-xml. - CVE-2026-56820: improper certificate validation in
io.netty:netty-handler-ssl-ocsp. - CVE-2026-56821: improper certificate revocation check in
io.netty:netty-handler-ssl-ocsp. - CVE-2026-XXXXX: improper CR/LF neutrolization in
io.netty:netty-codec-stomp.
Other significant changes are:
- Document Java 9 requirement for
io_uringin #16904 - Fix incorrect bounds in error message of
HpackDecoder.setMaxHeaderListSizein #16901 - Add epoch-based chunk cache purge with ring buffer for thread-local reuse in #16766
- SingleThreadEventExecutor: document Throwable safety contract on
run()in #16909 - Make HTTP/2 frame hashCode consistent with equals in #16910
- MQTT: Make the decodeProperties early-REPLAY check actually fire in #16919
- IoUring: fix
io_uringdatagram writes with non-zeroreaderIndexin #16905 - Exclude internal events from
IoHandler.run()return value in epoll,io_uringandkqueuein #16848 - IoUring: Pass
IORING_ENTER_NO_IOWAITto report accurate CPU usage in #16739 - Reject control characters at the boundary of HTTP method names in #16723
- IoUring: fix TCP Fast Open initial writes with
readerIndexand composites in #16929 - Fix propagation of
startTlsfor clientSslContexthandlers in #16931 - Update to latest tcnative release in #16936
- Refactor: Useful helper method
getOrDefaultand cleaner abstraction in #16927 - Make permessage-deflate server window size and
memLevelconfigurable in #16809 - Return early in
DnsQueryContext.writeQuerywhen the query ID space is exhausted in #16950 - Fix HTTP 2
PUSH_PROMISEstream association validation in #16952 - Fix GZIP
FEXTRAextra-field handling inJdkZlibDecoderin #16951 Http3FrameCodechandle fragmented payloads when skipping unknown frames in #16960- Add opt-in validation of mandatory pseudo-header fields for HTTP/2 in #16932
- Strictly validate MQTT UTF-8 Encoded String in #16939
- Stop
DateFormattertrailing token from running past the parse end in #16958 - IpFilter: Deprecate constructor which use accept by default in #16961
- Add RFC 10008 QUERY Method support in #16966
- Correctly release and fail queued traffic-shaping writes on close in #16959
- Reject control characters at the boundary of the HTTP version token in #16971
- FlowControlHandler: respect auto-read when toggled while dequeueing in #16949
- Fix leak in
ReferenceCountedOpenSslEngine.addCredentialin #16979 - IdleStateHandler: reset
firstWriter/ReaderIdleEventinresetWriteTimeout/resetReadTimeoutin #16982 - Fix typo in
AbstractSniHandlerJavadoc in #16988 - Fix client/server inconsistency in
SslCredentialsupport matrix in #16990 - Reconcile
AbstractCoalescingBufferQueuereadableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames in #16947 - Reset UTF-8 decode state on
CRinStompSubframeDecoderin #16991 - FastLz: Guard decompression against truncated input in #17000
- Reject non-token characters in HTTP/2 header names in #16762
- Enable extension of
Http3ClientConnectionHandlerto support higher-level protocols such as WebTransport in #17027 - Implement Adaptive Cumulator in #16731
- Allow WebSocket extension negotiation to be disabled per response in #17030
- Support QPACK sensitivity detector for
Never Indexedheader fields in #17026 - Fix
maxAllocationfor brotli-encoded content inHttpContentDecompressorin #17037 - Pin github actions to reduce risk in #17043
- Update
lz4-javato 1.11.1 in #17061
For more details please see the complete release notes.
Thank You
Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.
Please report an unintended omission.