Skip navigation

Netty 4.1.136.Final released

We are happy to announce the release of netty 4.1.136.Final. This is a bug-fix and security release.

We strongly recommend upgrading to this version to get the following security fixes:

  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-stomp.
  • CVE-2026-55833: zip bomb in io.netty:netty-codec-http.
  • CVE-2026-XXXXX: improper CR/LF neutrolization in io.netty:netty-codec-http (multipart).
  • CVE-2026-XXXXX: improper CR/LF neutrolization in io.netty:netty-codec-haproxy.
  • CVE-2026-55851: memory exhaustion in io.netty:netty-codec-haproxy.
  • CVE-2026-56745: memory exhaustion in io.netty:netty-codec-http.
  • CVE-2026-56817: insecure defaults in XML parsing in io.netty:netty-codec-xml.
  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-http.
  • CVE-2026-56818: memory leak in io.netty:netty-codec-redis.
  • CVE-2026-56819: memory leak in io.netty:netty-codec-http2.
  • CVE-2026-55831: resource exhaustion/DoS in io.netty:netty-codec-http.
  • CVE-2026-XXXXX: memory leak in io.netty:netty-codec-dns.
  • CVE-2026-XXXXX: infinite loop in io.netty:netty-codec-compression (bzip2).
  • CVE-2026-XXXXX: improper header neutralization in io.netty:netty-codec-http2.
  • CVE-2026-XXXXX: protocol version confusion in io.netty:netty-codec-http (websocket).
  • CVE-2026-56746: improper access control in io.netty:netty-codec-http (CORS).
  • CVE-2026-56822: time-of-check/time-of-use in io.netty:netty-handler-ssl-ocsp.
  • CVE-2026-XXXXX: uncontrolled resource consumption in io.netty:netty-codec-xml.
  • CVE-2026-56820: improper certificate validation in io.netty:netty-handler-ssl-ocsp.
  • CVE-2026-56821: improper certificate revocation check in io.netty:netty-handler-ssl-ocsp.
  • CVE-2026-XXXXX: improper CR/LF neutrolization in io.netty:netty-codec-stomp.

Other significant changes are:

  • SingleThreadEventExecutor: document Throwable safety contract on run() by @daguimu in https://github.com/netty/netty/pull/16814
  • Make HTTP/2 frame hashCode consistent with equals by @daguimu in https://github.com/netty/netty/pull/16692
  • Add BlockHound exception for DnsQueryIdSpace (#16896) by @chrisvest in https://github.com/netty/netty/pull/16915
  • FlowControlHandler: Fix autoRead behavior by @chrisvest in https://github.com/netty/netty/pull/16912
  • Auto-port 4.1: Fix incorrect bounds in error message of HpackDecoder.setMaxHeaderListSize by @netty-project-bot in https://github.com/netty/netty/pull/16911
  • MQTT: Fix MQTT decoder size check after variable header replay by @daguimu in https://github.com/netty/netty/pull/16916
  • MQTT: Make the decodeProperties early-REPLAY check actually fire by @daguimu in https://github.com/netty/netty/pull/16813
  • Reject control characters at the boundary of HTTP method names (#16723) by @chrisvest in https://github.com/netty/netty/pull/16933
  • Auto-port 4.1: Update to latest tcnative release by @netty-project-bot in https://github.com/netty/netty/pull/16941
  • Auto-port 4.1: Fix HTTP 2 PUSH_PROMISE stream association validation by @netty-project-bot in https://github.com/netty/netty/pull/16955
  • Auto-port 4.1: Fix GZIP FEXTRA extra-field handling in JdkZlibDecoder by @netty-project-bot in https://github.com/netty/netty/pull/16957
  • Auto-port 4.1: Add opt-in validation of mandatory pseudo-header fields for HTTP/2 by @netty-project-bot in https://github.com/netty/netty/pull/16964
  • Strictly validate MQTT UTF-8 Encoded String (#16939) by @chrisvest in https://github.com/netty/netty/pull/16965
  • Auto-port 4.1: Stop DateFormatter trailing token from running past the parse end by @netty-project-bot in https://github.com/netty/netty/pull/16968
  • Auto-port 4.1: IpFilter: Deprecate constructor which use accept by default by @netty-project-bot in https://github.com/netty/netty/pull/16973
  • Add RFC 10008 QUERY Method support (#16966) by @normanmaurer in https://github.com/netty/netty/pull/16978
  • Correctly release and fail queued traffic-shaping writes on close (#16959) by @normanmaurer in https://github.com/netty/netty/pull/16976
  • Auto-port 4.1: FlowControlHandler: respect auto-read when toggled while dequeueing by @netty-project-bot in https://github.com/netty/netty/pull/16983
  • IdleStateHandler: reset firstWriter/ReaderIdleEvent in resetWriteTimeout/resetReadTimeout (#16982) by @chrisvest in https://github.com/netty/netty/pull/16989
  • Auto-port 4.1: Fix typo in AbstractSniHandler Javadoc by @netty-project-bot in https://github.com/netty/netty/pull/16995
  • Auto-port 4.1: Reconcile AbstractCoalescingBufferQueue readableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames by @netty-project-bot in https://github.com/netty/netty/pull/16997
  • Reject control characters at the boundary of the HTTP version token (#16971) by @normanmaurer in https://github.com/netty/netty/pull/16986
  • Auto-port 4.1: Reset UTF-8 decode state on CR in StompSubframeDecoder by @netty-project-bot in https://github.com/netty/netty/pull/17003
  • Auto-port 4.1: HTTP2: Pass the correct number of arguments when logging goaway by @netty-project-bot in https://github.com/netty/netty/pull/17017
  • FastLz: Guard decompression against truncated input (#17000) by @chrisvest in https://github.com/netty/netty/pull/17015
  • Backport 4.1 Fix propagation of startTls for client SslContext handler by @skyguard1 in https://github.com/netty/netty/pull/17020
  • Auto-port 4.1: Reject non-token characters in HTTP/2 header names by @netty-project-bot in https://github.com/netty/netty/pull/17022
  • Update lz4-java to 1.11.1 by @yawkat in https://github.com/netty/netty/pull/17060
  • Pin github actions to reduce risk (#17043) by @normanmaurer in https://github.com/netty/netty/pull/17044
  • Merge branches from forks (#17063) by @normanmaurer in https://github.com/netty/netty/pull/17065

For more details please see the complete release notes.

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.