Skip navigation

Netty 4.2.16.Final released

We are happy to announce the release of netty 4.2.16.Final. This is a bug-fix and security release.

We strongly recommend upgrading to this version to get the following security fixes:

  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-stomp.
  • CVE-2026-55833: zip bomb in io.netty:netty-codec-http.
  • CVE-2026-XXXXX: improper CR/LF neutrolization in io.netty:netty-codec-http (multipart).
  • CVE-2026-XXXXX: improper CR/LF neutrolization in io.netty:netty-codec-haproxy.
  • CVE-2026-55851: memory exhaustion in io.netty:netty-codec-haproxy.
  • CVE-2026-56745: memory exhaustion in io.netty:netty-codec-http.
  • CVE-2026-56817: insecure defaults in XML parsing in io.netty:netty-codec-xml.
  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-http.
  • CVE-2026-56818: memory leak in io.netty:netty-codec-redis.
  • CVE-2026-56819: memory leak in io.netty:netty-codec-http2.
  • CVE-2026-56816: memory exhaustion in io.netty:netty-codec-http3.
  • CVE-2026-55831: resource exhaustion/DoS in io.netty:netty-codec-http.
  • CVE-2026-XXXXX: memory leak in io.netty:netty-codec-dns.
  • CVE-2026-XXXXX: infinite loop in io.netty:netty-codec-compression (bzip2).
  • CVE-2026-XXXXX: improper header neutralization in io.netty:netty-codec-http2.
  • CVE-2026-XXXXX: protocol version confusion in io.netty:netty-codec-http (websocket).
  • CVE-2026-56746: improper access control in io.netty:netty-codec-http (CORS).
  • CVE-2026-56822: time-of-check/time-of-use in io.netty:netty-handler-ssl-ocsp.
  • CVE-2026-XXXXX: uncontrolled resource consumption in io.netty:netty-codec-xml.
  • CVE-2026-56820: improper certificate validation in io.netty:netty-handler-ssl-ocsp.
  • CVE-2026-56821: improper certificate revocation check in io.netty:netty-handler-ssl-ocsp.
  • CVE-2026-XXXXX: improper CR/LF neutrolization in io.netty:netty-codec-stomp.

Other significant changes are:

  • Document Java 9 requirement for io_uring in #16904
  • Fix incorrect bounds in error message of HpackDecoder.setMaxHeaderListSize in #16901
  • Add epoch-based chunk cache purge with ring buffer for thread-local reuse in #16766
  • SingleThreadEventExecutor: document Throwable safety contract on run() in #16909
  • Make HTTP/2 frame hashCode consistent with equals in #16910
  • MQTT: Make the decodeProperties early-REPLAY check actually fire in #16919
  • IoUring: fix io_uring datagram writes with non-zero readerIndex in #16905
  • Exclude internal events from IoHandler.run() return value in epoll, io_uring and kqueue in #16848
  • IoUring: Pass IORING_ENTER_NO_IOWAIT to report accurate CPU usage in #16739
  • Reject control characters at the boundary of HTTP method names in #16723
  • IoUring: fix TCP Fast Open initial writes with readerIndex and composites in #16929
  • Fix propagation of startTls for client SslContext handlers in #16931
  • Update to latest tcnative release in #16936
  • Refactor: Useful helper method getOrDefault and cleaner abstraction in #16927
  • Make permessage-deflate server window size and memLevel configurable in #16809
  • Return early in DnsQueryContext.writeQuery when the query ID space is exhausted in #16950
  • Fix HTTP 2 PUSH_PROMISE stream association validation in #16952
  • Fix GZIP FEXTRA extra-field handling in JdkZlibDecoder in #16951
  • Http3FrameCodec handle fragmented payloads when skipping unknown frames in #16960
  • Add opt-in validation of mandatory pseudo-header fields for HTTP/2 in #16932
  • Strictly validate MQTT UTF-8 Encoded String in #16939
  • Stop DateFormatter trailing token from running past the parse end in #16958
  • IpFilter: Deprecate constructor which use accept by default in #16961
  • Add RFC 10008 QUERY Method support in #16966
  • Correctly release and fail queued traffic-shaping writes on close in #16959
  • Reject control characters at the boundary of the HTTP version token in #16971
  • FlowControlHandler: respect auto-read when toggled while dequeueing in #16949
  • Fix leak in ReferenceCountedOpenSslEngine.addCredential in #16979
  • IdleStateHandler: reset firstWriter/ReaderIdleEvent in resetWriteTimeout/resetReadTimeout in #16982
  • Fix typo in AbstractSniHandler Javadoc in #16988
  • Fix client/server inconsistency in SslCredential support matrix in #16990
  • Reconcile AbstractCoalescingBufferQueue readableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames in #16947
  • Reset UTF-8 decode state on CR in StompSubframeDecoder in #16991
  • FastLz: Guard decompression against truncated input in #17000
  • Reject non-token characters in HTTP/2 header names in #16762
  • Enable extension of Http3ClientConnectionHandler to support higher-level protocols such as WebTransport in #17027
  • Implement Adaptive Cumulator in #16731
  • Allow WebSocket extension negotiation to be disabled per response in #17030
  • Support QPACK sensitivity detector for Never Indexed header fields in #17026
  • Fix maxAllocation for brotli-encoded content in HttpContentDecompressor in #17037
  • Pin github actions to reduce risk in #17043
  • Update lz4-java to 1.11.1 in #17061

For more details please see the complete release notes.

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.