Netty Project

We are happy to announce the release of netty 4.1.135.Final. This is a bug-fix and security release. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-48059: memory exhaustion in ... [More] io.netty:netty-codec-haproxy (high). CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high). CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2. CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high). CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http. CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high). CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high). CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns. CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high). CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll... [Less]

We are happy to announce the release of netty 4.1.135.Final. This is a bug-fix and security release. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-48059: memory exhaustion in ... [More] io.netty:netty-codec-haproxy (high). CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high). CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2. CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high). CVE-2026-50020: request smuggling in io.netty:netty-codec-http. CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high). CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high). CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns. CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high). CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll... [Less]

We are happy to announce the release of netty 4.1.135.Final. This is a bug-fix and security release. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-48059: memory exhaustion in ... [More] io.netty:netty-codec-haproxy (high). CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high). CVE-2026-50560: DDoS in io.netty:netty-codec-http2. CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high). CVE-2026-50020: request smuggling in io.netty:netty-codec-http. CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high). CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high). CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns. CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high). CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll... [Less]

We are happy to announce the release of netty 4.2.15.Final. This is a bug-fix and security release. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-48059: memory exhaustion in ... [More] io.netty:netty-codec-haproxy (high). CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high). CVE-2026-50560: DDoS in io.netty:netty-codec-http2. CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic. CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high). CVE-2026-50020: request smuggling in io.netty:netty-codec-http. CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high). CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high). CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high). CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high). CVE-2026-45673:... [Less]

We are happy to announce the release of netty 4.2.15.Final. This is a bug-fix and security release. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-48059: memory exhaustion in ... [More] io.netty:netty-codec-haproxy (high). CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high). CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2. CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-XXXXX: information disclosure and denial of service in io.netty:netty-codec-classes-quic. CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high). CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http. CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high). CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high). CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high). CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high). CVE-2026-45673:... [Less]

We are happy to announce the release of netty 4.2.15.Final. This is a bug-fix and security release. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-48059: memory exhaustion in ... [More] io.netty:netty-codec-haproxy (high). CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high). CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2. CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high). CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic. CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high). CVE-2026-50020: request smuggling in io.netty:netty-codec-http. CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high). CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high). CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high). CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high). CVE-2026-45673:... [Less]

We are happy to announce the release of netty 4.2.14.Final. This is a bug-fix release. We recommend upgrading to this version to get the following fixes: HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake #16747 Marshalling: ... [More] Explicit document security requirements #16752 Fix io_uring op completion TRACE logging #16755 Quic: Ensure writes are done before notify close promise of QuicheQuicChannel #16758 Avoid re-parsing openssl key material with non-cached provider #16759 Pin HTTP/RTSP version + method normalization to Locale.US #16765 Fill MsgHdrMemoryArray#hdrs with null entry on release #16764 Adaptive: Fix concurrency issue in adaptive allocator #16767 Make bulk byte moving in ByteBuf faster #16781 Pin multipart Content-Type / Content-Transfer-Encoding case folding... [Less]

We are happy to announce the release of netty 4.1.134.Final. This is a bug-fix release. We recommend upgrading to this version to get the following fixes: HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake #16750 ... [More] Marshalling: Explicit document security requirements #16754 Pin HTTP/RTSP version + method normalization to Locale.US #16770 Adaptive: Fix concurrency issue in adaptive allocator #16778 Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US #16784 Remove dead native declarations #16785 Avoid re-parsing openssl key material with non-cached provider #16791 IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 #16822 Resolve all localhost addresses without querying DNS... [Less]

We are happy to announce the release of netty 4.2.13.Final. This is a bug-fix and security release that fixes numerous security issues. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-42586 ... [More] (netty-codec-redis) CVE-2026-42578 (netty-handler-proxy) CVE-2026-42577 (netty-transport-native-epoll) CVE-2026-42587 (netty-codec-http, netty-codec-http2) CVE-2026-41417 (netty-codec-http) CVE-2026-42581 (netty-codec-http) CVE-2026-42580 (netty-codec-http) CVE-2026-42585 (netty-codec-http) CVE-2026-42579 (netty-codec-dns) CVE-2026-42582 (netty-codec-http3) CVE-2026-42583 (netty-codec, netty-codec-compression) CVE-2026-42584 (netty-codec-http) CVE-2026-44248 (netty-codec-mqtt) Breaking Changes The patch for CVE-2026-42581 prohibits HTTP/1.1 requests containing both the Transfer-Encoding and Content-Length headers, in line with RFC 9112. Previous versions of HTTP/1.1 (RFC 7230) permitted this combination. You can restore the old behavior with the -Dio.netty.handler.codec.http.rfc9112TransferEncoding=false system property or with HttpDecoderConfig. Note that disabling this check may lead to request smuggling vulnerabilities. Other significant changes are: Kqueue:... [Less]

We are happy to announce the release of netty 4.1.133.Final. This is a bug-fix and security release that fixes numerous security issues. We strongly recommend upgrading to this version to get the following security fixes: CVE-2026-42586 ... [More] (netty-codec-redis) CVE-2026-42578 (netty-handler-proxy) CVE-2026-42587 (netty-codec-http, netty-codec-http2) CVE-2026-41417 (netty-codec-http) CVE-2026-42581 (netty-codec-http) CVE-2026-42580 (netty-codec-http) CVE-2026-42585 (netty-codec-http) CVE-2026-42579 (netty-codec-dns) CVE-2026-42582 (netty-codec-http3) CVE-2026-42583 (netty-codec, netty-codec-compression) CVE-2026-42584 (netty-codec-http) CVE-2026-44248 (netty-codec-mqtt) Other significant changes are: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat #16539 Kqueue: sendfile EINTR doesn't advance offset — data duplication #16554 Avoid leak in PemReader on OutOfDirectMemoryError #16576 Native DNS resolver: Guard against malloc failures #16584 Include user properties and subscription IDs in MqttProperties#isEmpty #16582 Fix parsing HTTP chunks with multiple extensions #16588 Epoll: Cleanup code to always return negative... [Less]