Releases: netty/netty
Release list
netty-4.1.136.Final
What's Changed
- SingleThreadEventExecutor: document Throwable safety contract on run() by @daguimu in #16814
- Make HTTP/2 frame hashCode consistent with equals by @daguimu in #16692
- Add BlockHound exception for DnsQueryIdSpace (#16896) by @chrisvest in #16915
- FlowControlHandler: Fix autoRead behavior by @chrisvest in #16912
- Auto-port 4.1: Fix incorrect bounds in error message of HpackDecoder.setMaxHeaderListSize by @netty-project-bot in #16911
- MQTT: Fix MQTT decoder size check after variable header replay by @daguimu in #16916
- MQTT: Make the decodeProperties early-REPLAY check actually fire by @daguimu in #16813
- Reject control characters at the boundary of HTTP method names (#16723) by @chrisvest in #16933
- Auto-port 4.1: Update to latest tcnative release by @netty-project-bot in #16941
- Auto-port 4.1: Fix HTTP 2 PUSH_PROMISE stream association validation by @netty-project-bot in #16955
- Auto-port 4.1: Fix GZIP FEXTRA extra-field handling in JdkZlibDecoder by @netty-project-bot in #16957
- Auto-port 4.1: Add opt-in validation of mandatory pseudo-header fields for HTTP/2 by @netty-project-bot in #16964
- Strictly validate MQTT UTF-8 Encoded String (#16939) by @chrisvest in #16965
- Auto-port 4.1: Stop DateFormatter trailing token from running past the parse end by @netty-project-bot in #16968
- Auto-port 4.1: IpFilter: Deprecate constructor which use accept by default by @netty-project-bot in #16973
- Add RFC 10008 QUERY Method support (#16966) by @normanmaurer in #16978
- Correctly release and fail queued traffic-shaping writes on close (#16959) by @normanmaurer in #16976
- Auto-port 4.1: FlowControlHandler: respect auto-read when toggled while dequeueing by @netty-project-bot in #16983
- IdleStateHandler: reset firstWriter/ReaderIdleEvent in resetWriteTimeout/resetReadTimeout (#16982) by @chrisvest in #16989
- Auto-port 4.1: Fix typo in AbstractSniHandler Javadoc by @netty-project-bot in #16995
- Auto-port 4.1: Reconcile
AbstractCoalescingBufferQueuereadableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames by @netty-project-bot in #16997 - Reject control characters at the boundary of the HTTP version token (#16971) by @normanmaurer in #16986
- Auto-port 4.1: Reset UTF-8 decode state on CR in StompSubframeDecoder by @netty-project-bot in #17003
- Auto-port 4.1: HTTP2: Pass the correct number of arguments when logging goaway by @netty-project-bot in #17017
- FastLz: Guard decompression against truncated input (#17000) by @chrisvest in #17015
- Backport 4.1 Fix propagation of startTls for client SslContext handler by @skyguard1 in #17020
- Auto-port 4.1: Reject non-token characters in HTTP/2 header names by @netty-project-bot in #17022
- Update lz4-java to 1.11.1 by @yawkat in #17060
- Pin github actions to reduce risk (#17043) by @normanmaurer in #17044
- Merge branches from forks (#17063) by @normanmaurer in #17065
Full Changelog: netty-4.1.135.Final...netty-4.1.136.Final
netty-4.2.16.Final
What's Changed
- Document Java 9 requirement for io_uring by @jchambers in #16904
- Add BlockHound exception for DnsQueryIdSpace by @violetagg in #16896
- Fix incorrect bounds in error message of HpackDecoder.setMaxHeaderListSize by @skyguard1 in #16901
- Add epoch-based chunk cache purge with ring buffer for thread-local reuse by @franz1981 in #16766
- Use Splittable/ThreadLocalRandom to generate bulk data in tests by @chrisvest in #16808
- Auto-port 4.2: SingleThreadEventExecutor: document Throwable safety contract on run() by @netty-project-bot in #16909
- Auto-port 4.2: Make HTTP/2 frame hashCode consistent with equals by @netty-project-bot in #16910
- Auto-port 4.2: MQTT: Make the decodeProperties early-REPLAY check actually fire by @netty-project-bot in #16919
- IoUring: fix io_uring datagram writes with non-zero readerIndex by @dreamlike-ocean in #16905
- Exclude internal events from IoHandler.run() return value in epoll, io_uring and kqueue by @franz1981 in #16848
- IoUring: Pass IORING_ENTER_NO_IOWAIT to report accurate CPU usage by @wineway in #16739
- Avoid logging exceptions that tests ignore by @chrisvest in #16891
- Reject control characters at the boundary of HTTP method names by @daguimu in #16723
- IoUring: fix TCP Fast Open initial writes with readerIndex and composites by @dreamlike-ocean in #16929
- Try to fix/stabilize a number of flaky tests by @chrisvest in #16934
- Fix propagation of startTls for client SslContext handlers by @skyguard1 in #16931
- Update to latest tcnative release by @normanmaurer in #16936
- Move test to shared testsuite by @normanmaurer in #16928
- [Refactor] Useful helper method getOrDefault & cleaner abstraction by @sanjomo in #16927
- Make permessage-deflate server window size and memLevel configurable by @fru1tworld in #16809
- Return early in DnsQueryContext.writeQuery when the query ID space is exhausted by @HwangRock in #16950
- Fix HTTP 2 PUSH_PROMISE stream association validation by @skyguard1 in #16952
- Fix GZIP FEXTRA extra-field handling in JdkZlibDecoder by @daguimu in #16951
- Http3FrameCodec handle fragmented payloads when skipping unknown frames by @skyguard1 in #16960
- Add opt-in validation of mandatory pseudo-header fields for HTTP/2 by @hyperxpro in #16932
- Strictly validate MQTT UTF-8 Encoded String by @skyguard1 in #16939
- Stop DateFormatter trailing token from running past the parse end by @daguimu in #16958
- IpFilter: Deprecate constructor which use accept by default by @normanmaurer in #16961
- Add RFC 10008 QUERY Method support by @desiderantes in #16966
- Correctly release and fail queued traffic-shaping writes on close by @skyguard1 in #16959
- Reject control characters at the boundary of the HTTP version token by @HwangRock in #16971
- FlowControlHandler: respect auto-read when toggled while dequeueing by @schiemon in #16949
- Fix leak in ReferenceCountedOpenSslEngine.addCredential by @jmcrawford45 in #16979
- IdleStateHandler: reset firstWriter/ReaderIdleEvent in resetWriteTimeout/resetReadTimeout by @husseinvr97 in #16982
- Fix typo in AbstractSniHandler Javadoc by @coderbruis in #16988
- Fix client/server inconsistency in SslCredential support matrix by @jmcrawford45 in #16990
- Reconcile
AbstractCoalescingBufferQueuereadableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames by @gavinbunney in #16947 - Use Ticker in Http2MaxRstFrameListener for testability by @skyguard1 in #16993
- Reset UTF-8 decode state on CR in StompSubframeDecoder by @vasiliy-mikhailov in #16991
- FastLz: Guard decompression against truncated input by @yawkat in #17000
- Reject non-token characters in HTTP/2 header names by @daguimu in #16762
- Auto-port 4.2: Fix SelfSignCertificate initialization in tests by @netty-project-bot in #17029
- Enable extension of Http3ClientConnectionHandler to support higher-level protocols such as WebTransport. by @sanjomo in #17027
- Implement Adaptive Cumulator by @shivaspeaks in #16731
- Allow WebSocket extension negotiation to be disabled per response by @mkurz in #17030
- Support QPACK sensitivity detector for Never Indexed header fields by @skyguard1 in #17026
- Fix maxAllocation for brotli-encoded content in HttpContentDecompressor by @skyguard1 in #17037
- Pin github actions to reduce risk by @normanmaurer in #17043
- Update lz4-java to 1.11.1 by @yawkat in #17061
- Merge branches from forks by @chrisvest in #17063
New Contributors
- @HwangRock made their first contribution in #16950
- @desiderantes made their first contribution in #16966
- @husseinvr97 made their first contribution in #16982
- @gavinbunney made their first contribution in #16947
- @vasiliy-mikhailov made their first contribution in #16991
- @shivaspeaks made their first contribution in #16731
Full Changelog: netty-4.2.15.Final...netty-4.2.16.Final
netty-4.2.15.Final
Security fixes
- CVE-2026-48059: memory exhaustion in
io.netty:netty-codec-haproxy(high). - CVE-2026-47691: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-50560: DDoS in
io.netty:netty-codec-http2. - CVE-2026-50011: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44250: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44890: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-50009: information disclosure and denial of service in
io.netty:netty-codec-classes-quic. - CVE-2026-44249: IPv6 subnet filter bypass in
io.netty:netty-handler(high). - CVE-2026-50020: request smuggling in
io.netty:netty-codec-http. - CVE-2026-44892: memory exhaustion in
io.netty:netty-codec-http3(high). - CVE-2026-44893: memory leak in
io.netty:netty-codec-haproxy(high). - CVE-2026-44894: traffic amplification in
io.netty:netty-codec-classes-quic(high). - CVE-2026-50010: TLS hostname verification accidentally disabled in
io.netty:netty-handler(high). - CVE-2026-45673: DNS cache poisoning in
io.netty:netty-resolver-dns. - CVE-2026-45416: excessive memory usage from SNIHandler in
io.netty:netty-handler(high). - CVE-2026-45536: file descriptor leak in
io.netty:netty-transport-native-epollandio.netty:netty-transport-native-kqueue. - CVE-2026-45674: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-46340: memory exhaustion in
io.netty:netty-transport-sctp(high). - CVE-2026-47244: denial of service in
io.netty:netty-codec-http2. - CVE-2026-48006: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-48748: memory exhaustion in
io.netty:netty-codec-http3(high). - CVE-2026-48043: memory exhaustion in
io.netty:netty-codec-http2.
What's Changed
- Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @dreamlike-ocean in #16836
- HTTP/2: Parse request-target path like Vert.x by @yawkat in #16810
- Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @netty-project-bot in #16853
- FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @schiemon in #16837
- Pass maxAllocation to Brotli and Zstd decoders by @fedinskiy in #16844
- Fix revapi warnings by @chrisvest in #16885
- Fix SCTP and Redis tests by @chrisvest in #16893
- Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @skyguard1 in #16850
- Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @netty-project-bot in #16890
New Contributors
- @schiemon made their first contribution in #16837
- @fedinskiy made their first contribution in #16844
Full Changelog: netty-4.2.14.Final...netty-4.2.15.Final
netty-4.1.135.Final
Security fixes
- CVE-2026-48059: memory exhaustion in
io.netty:netty-codec-haproxy(high). - CVE-2026-47691: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-50560: DDoS in
io.netty:netty-codec-http2. - CVE-2026-50011: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44250: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44890: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44249: IPv6 subnet filter bypass in
io.netty:netty-handler(high). - CVE-2026-50020: request smuggling in
io.netty:netty-codec-http. - CVE-2026-44893: memory leak in
io.netty:netty-codec-haproxy(high). - CVE-2026-50010: TLS hostname verification accidentally disabled in
io.netty:netty-handler(high). - CVE-2026-45673: DNS cache poisoning in
io.netty:netty-resolver-dns. - CVE-2026-45416: excessive memory usage from SNIHandler in
io.netty:netty-handler(high). - CVE-2026-45536: file descriptor leak in
io.netty:netty-transport-native-epollandio.netty:netty-transport-native-kqueue. - CVE-2026-45674: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-46340: memory exhaustion in
io.netty:netty-transport-sctp(high). - CVE-2026-47244: denial of service in
io.netty:netty-codec-http2. - CVE-2026-48006: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-48043: memory exhaustion in
io.netty:netty-codec-http2.
What's Changed
- Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in #16834
- ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in #16847
- HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in #16856
- HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in #16861
- IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in #16860
- Configurable bound on RedisArrayAggregator by @normanmaurer in #16858
- Redis: Limit decoded length by @normanmaurer in #16859
- DNS: Ensure query id is not predictible by @normanmaurer in #16870
- Wrapping plain trust manager silently disables hostname verification by @normanmaurer in #16868
- MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in #16852
- Fix revapi warnings (#16885) by @chrisvest in #16892
- HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in #16866
- SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in #16871
- DNS: Only cache CNAME if part of the queried domain by @normanmaurer in #16873
- HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in #16876
- Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in #16877
- HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in #16880
- Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in #16886
- HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in #16883
- Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in #16894
- HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in #16881
- Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in #16872
- SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in #16875
- Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in #16878
- Redis: Limit the maximum number of nested arrays by @normanmaurer in #16882
Full Changelog: netty-4.1.134.Final...netty-4.1.135.Final
netty-4.2.14.Final
What's Changed
- HTTP: Fix revapi failure introduced by 84530fa by @normanmaurer in #16748
- HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by @normanmaurer in #16747
- Marshalling: Explicit document security requirements by @normanmaurer in #16752
- Fix io_uring op completion TRACE logging by @chrisvest in #16755
- Quic: Ensure writes are done before notify close promise of QuicheQui… by @normanmaurer in #16758
- Avoid re-parsing openssl key material with non-cached provider by @chrisvest in #16759
- Pin HTTP/RTSP version + method normalization to Locale.US by @daguimu in #16765
- Fill MsgHdrMemoryArray#hdrs with null entry on release by @tsegismont in #16764
- Revapi: Use default "oldVersion" by @chrisvest in #16774
- Adaptive: Fix concurrency issue in adaptive allocator by @chrisvest in #16767
- Auto-port 4.2: Make bulk byte moving in ByteBuf faster by @netty-project-bot in #16781
- Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by @daguimu in #16768
- Remove dead native declarations by @pandareen in #16783
- Isolate tests that modify available Security providers by @chrisvest in #16793
- Remove test annotations from a method that isn't a test by @chrisvest in #16792
- Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by @zhangweikop in #16523
- IoUring: extend user data from short to long by @dreamlike-ocean in #16682
- Revert CompositeByteBuf component search fast path by @yawkat in #16811
- HTTP2: Use 100 as default max concurrent streams setting by @normanmaurer in #16804
- Fix ResumptionController wrapping by @chrisvest in #16815
- Resolve all localhost addresses without querying DNS servers by @JulianVennen in #16749
- IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by @normanmaurer in #16803
- Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by @dreamlike-ocean in #16788
- Route synchronous onLookupComplete exceptions via fireExceptionCaught by @kwondh5217 in #16794
- IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by @LuciferYang in #16826
- MQTT: Allow MQTT 5 CONNECT with password only by @shblue21 in #16833
- Fix MQTT decoder size check after variable header replay by @daguimu in #16787
New Contributors
- @pandareen made their first contribution in #16783
- @zhangweikop made their first contribution in #16523
- @JulianVennen made their first contribution in #16749
- @kwondh5217 made their first contribution in #16794
- @shblue21 made their first contribution in #16833
Full Changelog: netty-4.2.13.Final...netty-4.2.14.Final
netty-4.1.134.Final
What's Changed
- Auto-port 4.1: HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by @netty-project-bot in #16750
- Auto-port 4.1: Marshalling: Explicit document security requirements by @netty-project-bot in #16754
- Pin HTTP/RTSP version + method normalization to Locale.US (#16765) by @normanmaurer in #16770
- Adaptive: Fix concurrency issue in adaptive allocator (#16767) by @chrisvest in #16778
- Pin multipart Content-Type / Content-Transfer-Encoding case folding t… by @normanmaurer in #16784
- Auto-port 4.1: Remove dead native declarations by @netty-project-bot in #16785
- Avoid re-parsing openssl key material with non-cached provider (#16759) by @chrisvest in #16791
- Isolate tests that modify available Security providers (#16793) by @chrisvest in #16805
- Auto-port 4.1: Remove test annotations from a method that isn't a test by @netty-project-bot in #16798
- Auto-port 4.1: IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by @netty-project-bot in #16822
- Resolve all localhost addresses without querying DNS servers (#16749) by @normanmaurer in #16820
- Auto-port 4.1: HTTP2: Use 100 as default max concurrent streams setting by @netty-project-bot in #16816
- Auto-port 4.1: Route synchronous onLookupComplete exceptions via fireExceptionCaught by @netty-project-bot in #16824
- Auto-port 4.1: Fix MQTT decoder size check after variable header replay by @netty-project-bot in #16838
Full Changelog: netty-4.1.133.Final...netty-4.1.134.Final
netty-4.2.13.Final
CVEs Fixed
- CVE-2026-42586 (netty-codec-redis)
- CVE-2026-42578 (netty-handler-proxy)
- CVE-2026-42577 (netty-transport-native-epoll)
- CVE-2026-42587 (netty-codec-http, netty-codec-http2)
- CVE-2026-41417 (netty-codec-http)
- CVE-2026-42581 (netty-codec-http)
- CVE-2026-42580 (netty-codec-http)
- CVE-2026-42585 (netty-codec-http)
- CVE-2026-42579 (netty-codec-dns)
- CVE-2026-42582 (netty-codec-http3)
- CVE-2026-42583 (netty-codec, netty-codec-compression)
- CVE-2026-42584 (netty-codec-http)
- CVE-2026-44248 (netty-codec-mqtt)
Breaking Changes
The patch for CVE-2026-42581 prohibits HTTP/1.1 requests containing both the Transfer-Encoding and Content-Length headers, in line with RFC 9112. Previous versions of HTTP/1.1 (RFC 7230) permitted this combination. You can restore the old behavior with the -Dio.netty.handler.codec.http.rfc9112TransferEncoding=false system property or with HttpDecoderConfig. Note that disabling this check may lead to request smuggling vulnerabilities.
What's Changed
- Kqueue: sendfile EINTR doesn't advance offset — data duplication by @normanmaurer in #16544
- Replace usage of strerror with thread-safe alternative by @normanmaurer in #16547
- Fix implementation of strerror_r_xsi for GNU by @normanmaurer in #16546
- Lazy init ArrayList in DefaultHeaders.getAll by @doom369 in #16526
- Less logging in AWS-LC build by @chrisvest in #16565
- Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext by @normanmaurer in #16545
- Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @netty-project-bot in #16543
- Avoid leak in PemReader on OutOfDirectMemoryError by @raipc in #16551
- IoUring: Disable test while we debug to unblock other builds by @normanmaurer in #16581
- Include user properties and subscription IDs in MqttProperties#isEmpty by @ShadowySpirits in #16575
- Native DNS resolver: Guard against malloc failures by @normanmaurer in #16559
- Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by @netty-project-bot in #16578
- Fix parsing HTTP chunks with multiple extensions by @chrisvest in #16579
- Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by @dependabot[bot] in #16572
- Revert to PR build to Ubuntu 22.04 by @chrisvest in #16595
- Native transports: Correctly create pipe when pipe2 is not supported by @normanmaurer in #16592
- Epoll: Cleanup code to always return negative value on failure by @normanmaurer in #16591
- Fix component search fast path by @yawkat in #16548
- Stabilize read-only toStringMultipleThreads1 by @chrisvest in #16608
- Stabilize more AbstractByteBufTests by @chrisvest in #16611
- Remove note about needing 256-bit for PQC by @chrisvest in #16605
- Stabilize testSessionInvalidate for Conscrypt by @chrisvest in #16615
- Quic: Correctly handle SSL_CTX_new failures by @normanmaurer in #16622
- Make LocalIoHandle public by @rdicroce in #16621
- Quic: Fix shadowing of variable which leads to incorrectly handling errors by @normanmaurer in #16623
- Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @netty-project-bot in #16629
- Fix
shutdownInputbug in kqueue for empty recv buffer by @chrisvest in #16630 - fix FFM address semantics in directBufferAddress by @dreamlike-ocean in #16603
- HTTP2: Ensure HTTP2 preface is always send as first message by @normanmaurer in #16636
- Move Http2FrameCodecSubClassTest to correct package by @normanmaurer in #16640
- Kqueue: Fix usage of LOCAL_PEERPID by @normanmaurer in #16637
- Avoid ArrayQueue allocation in HttpServerCodec by @doom369 in #16596
- Fix file descriptor reuse bug in kqueue by @chrisvest in #16650
- Propagate exceptions from inner threads in buffer tests by @chrisvest in #16643
- Add maxFrameLength support to ProtobufVarint32FrameDecoder by @fru1tworld in #16633
- Avoid byte[] allocation in DefaultChannelId by @doom369 in #16631
- Bump BouncyCastle from 1.83 to 1.84 by @chrisvest in #16660
- HTTP2: Ensure HTTP2 preface is always send as first message (also on the server) by @normanmaurer in #16667
- Update outdated codec-http3 README.md by @fru1tworld in #16665
- Bump up netty-tcnative to 2.0.76.Final by @normanmaurer in #16669
- Fix IllegalReferenceCountException in AdaptiveByteBuf.deallocate() by @gzsombor in #16654
- Skip VarHandle init when unaligned access is supported by @Songdoeon in #16664
- Add generic FileRegion support in io_uring stream channel by @LuciferYang in #16571
- ByteBufAllocatorAllocPatternBenchmark: Ensure each index appears exactly once in releaseIndexes by @laosijikaichele in #16604
- Improve flaky NioSocketChannelTest by @chrisvest in #16679
- Deprecate ObjectCleaner and remove usage by @chrisvest in #16685
- Update to netty-tcnative 2.0.77.Final by @normanmaurer in #16687
- Avoid TCPFastOpen in KQueueCompositeBufferGatheringWriteTest by @chrisvest in #16697
- Update JUnit to 5.14.0 and fix leak scope handling by @yawkat in #16680
- Auto-port 4.2: Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null by @netty-project-bot in #16702
- Avoid NPE in JdkSslServerContext when TrustManagerFactory returns nul… by @normanmaurer in #16700
- IoUring: Fix incorrect assertion which was triggered when two Channel… by @normanmaurer in #16705
- Epoll: Correctly delete fd from epoll if there is nothing to handle by @normanmaurer in #16689
- Update many dependencies by @chrisvest in #16707
- SCTP: Correctly handle SO_BACKLOG by @normanmaurer in #16714
- Load BouncyCastle providers independently by @chrisvest in #16710
- Add UBI9 devcontainer by @chrisvest in #16711
- Consolidate fake exceptions in HTTP/2 tests into Http2TestUtil by @fru1tworld in #16712
- Auto-port 4.2: Fix DiscardClient hang under -Dssl by using a client SSL context by @netty-project-bot in #16724
- Epoll: Use correct inital EpollIoOps by @normanmaurer in #16728
- Activate noPrintGC by default by @chrisvest in #16732
- H2: Add test for header value validation by @chrisvest in #16737
New Contributors
- @ShadowySpirits made their first contribution in #16575
- @fru1tworld made their first contribution in #16633
- @gzsombor made their first contribution in #16654
- @LuciferYang made their first contribution in #16571
Full Changelog: netty-4.2.12.Final...netty-4.2.13.Final
netty-4.1.133.Final
CVEs Fixed
- CVE-2026-42586 (netty-codec-redis)
- CVE-2026-42578 (netty-handler-proxy)
- CVE-2026-42587 (netty-codec-http, netty-codec-http2)
- CVE-2026-41417 (netty-codec-http)
- CVE-2026-42581 (netty-codec-http)
- CVE-2026-42580 (netty-codec-http)
- CVE-2026-42585 (netty-codec-http)
- CVE-2026-42579 (netty-codec-dns)
- CVE-2026-42582 (netty-codec-http3)
- CVE-2026-42583 (netty-codec, netty-codec-compression)
- CVE-2026-42584 (netty-codec-http)
- CVE-2026-44248 (netty-codec-mqtt)
What's Changed
- Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @daguimu in #16539
- Auto-port 4.1: Fix implementation of strerror_r_xsi for GNU by @netty-project-bot in #16561
- Auto-port 4.1: Replace usage of strerror with thread-safe alternative by @netty-project-bot in #16555
- Auto-port 4.1: Kqueue: sendfile EINTR doesn't advance offset — data duplication by @netty-project-bot in #16554
- Auto-port 4.1: Avoid leak in PemReader on OutOfDirectMemoryError by @netty-project-bot in #16576
- Auto-port 4.1: Native DNS resolver: Guard against malloc failures by @netty-project-bot in #16584
- Auto-port 4.1: Include user properties and subscription IDs in MqttProperties#isEmpty by @netty-project-bot in #16582
- Auto-port 4.1: Fix parsing HTTP chunks with multiple extensions by @netty-project-bot in #16588
- Auto-port 4.1: Stabilize read-only toStringMultipleThreads1 by @netty-project-bot in #16610
- Auto-port 4.1: Epoll: Cleanup code to always return negative value on failure by @netty-project-bot in #16601
- Auto-port 4.1: Stabilize more AbstractByteBufTests by @netty-project-bot in #16613
- Auto-port 4.1: Stabilize testSessionInvalidate for Conscrypt by @netty-project-bot in #16616
- Auto-port 4.1: Native transports: Correctly create pipe when pipe2 is not supported by @netty-project-bot in #16598
- Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @daguimu in #16558
- Fix
shutdownInputbug in kqueue for empty recv buffer (#16630) by @normanmaurer in #16638 - Auto-port 4.1: Kqueue: Fix usage of LOCAL_PEERPID by @netty-project-bot in #16646
- Auto-port 4.1: HTTP2: Ensure HTTP2 preface is always send as first message by @netty-project-bot in #16642
- Auto-port 4.1: Propagate exceptions from inner threads in buffer tests by @netty-project-bot in #16652
- Auto-port 4.1: Add maxFrameLength support to ProtobufVarint32FrameDecoder by @netty-project-bot in #16658
- Auto-port 4.1: Bump up netty-tcnative to 2.0.76.Final by @netty-project-bot in #16672
- HTTP2: Ensure HTTP2 preface is always send as first message (also on … by @chrisvest in #16675
- Improve flaky NioSocketChannelTest (#16679) by @normanmaurer in #16681
- Deprecate ObjectCleaner and remove usage (#16685) by @chrisvest in #16694
- Auto-port 4.1: Update to netty-tcnative 2.0.77.Final by @netty-project-bot in #16695
- Avoid NPE in JdkSslServerContext when TrustManagerFactory returns null by @daguimu in #16691
- Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null by @daguimu in #16690
- Auto-port 4.1: Avoid TCPFastOpen in KQueueCompositeBufferGatheringWriteTest by @netty-project-bot in #16699
- Auto-port 4.1: SCTP: Correctly handle SO_BACKLOG by @netty-project-bot in #16715
- Fix DiscardClient hang under -Dssl by using a client SSL context by @daguimu in #16717
- Auto-port 4.1: Consolidate fake exceptions in HTTP/2 tests into Http2TestUtil by @netty-project-bot in #16725
- Auto-port 4.1: Activate noPrintGC by default by @netty-project-bot in #16735
- Merge commit from fork by @normanmaurer in #16742
New Contributors
Full Changelog: netty-4.1.132.Final...netty-4.1.133.Final
netty-4.2.12.Final
What's Changed
- Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by @chrisvest in #16550
Full Changelog: netty-4.2.11.Final...netty-4.2.12.Final
netty-4.2.11.Final
Security
- CVE-2026-33871, HTTP/2 CONTINUATION Frame Flood Denial of Service
- CVE-2026-33870, HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
What's Changed
- Update to latest JDK 26 EA release by @normanmaurer in #16230
- HTTP3: Allow to support non-standard HTTP3 settings by @normanmaurer in #16171
- Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop by @adwsingh in #16245
- Allocate one large segment and slice for each MsgHdrMemory by @dreamlike-ocean in #16234
- Make RefCntOpenSslContext.deallocate more robust by @chrisvest in #16253
- Epoll: Fix excessive CPU usage when Channel is only registered but no… by @normanmaurer in #16250
- Update to gcc for arm 10.3-2021.07 by @m1ngyuan in #16255
- Add acmeIdentifier extension support to pkitesting by @chrisvest in #16256
- Update JDK versions to latest patch releases by @m1ngyuan in #16254
- Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by @doom369 in #16241
- Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16269
- Revert "Automatic backporting workflow from 4.1 to 4.2" by @chrisvest in #16270
- HTTP2: Correctly account for padding when decompress by @normanmaurer in #16264
- Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16271
- Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16273
- Backport PRs must be created with personal access tokens by @chrisvest in #16276
- Expose QuicSslContextBuilder::sni by @ZeroErrors in #16178
- Add more porting workflows by @chrisvest in #16275
- Add more porting workflows by @chrisvest in #16283
- Remove the unpooled allocator from test permutations by @chrisvest in #16282
- Some polishing of the porting workflows by @chrisvest in #16288
- Allow to set destination connection id when creating a client side QuicheChannel by @normanmaurer in #16286
- Update to latest JDK26 EA build by @normanmaurer in #16295
- Add javadoc to clarify responsibility of the user when generating the remote connection id by @normanmaurer in #16293
- Make the build run faster by @chrisvest in #16290
- Fix IDE warnings in SslHandler by @doom369 in #16237
- Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by @doom369 in #16242
- Support boringssl SSLCredential API by @jmcrawford45 in #15919
- Fix high-order bit aliasing in HttpUtil.validateToken by @furkanvarol in #16279
- Improve multi-byte access performance when UNALIGNED availability is unknown by @Songdoeon in #16207
- Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by @doom369 in #16278
- Support more branch freedom for auto-porting by @chrisvest in #16300
- fix: the precedence of + is higher than >> by @cuiweixie in #16312
- AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by @laosijikaichele in #16309
- Fix flaky PooledByteBufAllocatorTest by @chrisvest in #16313
- Fix pooled arena accounting tests by @chrisvest in #16321
- Fix RunInFastThreadLocalThreadExtension by @chrisvest in #16314
- AdaptivePoolingAllocator: call
unreserveMatchingBuddy(...)ifbyteBufinitialization failed by @laosijikaichele in #16327 - Recycler should not use thread locals unless they get cleaned up by @chrisvest in #16315
- OpenSSL: Don't leak OpenSslKeyManagerProvider on exception by @normanmaurer in #16337
- IoUring: Only complete deregistration promise once we received all co… by @normanmaurer in #16330
- Mark LoggingHandlerTest with @isolated to fix flaky build by @normanmaurer in #16338
- Fix flaky HTTP/2 test by @chrisvest in #16342
- Fix HTTP/2 push frame test by @chrisvest in #16343
- Fix flaky RenegotiateTest by @chrisvest in #16351
- IoUring: Don't use RDHUP for non stream Channel implementations by @normanmaurer in #16345
- SSL test: Don't depend on property value in test by @normanmaurer in #16346
- Fix flaky AbstractSingleThreadEventLoopTest by @chrisvest in #16352
- Use headers.setInt() in HttpObjectAggregator instead of set() and use concrete version of String.valueOf in CharSequenceValueConverter by @doom369 in #16239
- IoUring: Fix buffer leak in DatagramChannel implementation when recv … by @normanmaurer in #16359
- Don't assume CertificateFactory is thread-safe by @chrisvest in #16350
- AdaptivePoolingAllocator: assign a more explicit value to BuddyChunk.freeListCapacity by @laosijikaichele in #16334
- Fix leak in SniHandlerTest by @chrisvest in #16367
- Add more diagnostic points to PooledByteBufAllocatorTest.createNewThr… by @chrisvest in #16365
- Stabilize AbstractByteBufTest.testBytesInArrayMultipleThreads by @chrisvest in #16370
- Avoid unnecessary Long.toString() allocation in HttpObjectDecoder by @doom369 in #16344
- Remove reference counting from size classed chunks by @franz1981 in #16306
- Stabilize AbstractByteBufTest.testToStringMultipleThreads by @chrisvest in #16380
- Swap conditions to avoid native calls in ReferenceCountedOpenSslEngine.rejectRemoteInitiatedRenegotiation by @doom369 in #16389
- Remove duplicated contains calls in WebSockets by @doom369 in #16388
- IoUring: Reduce unnecessary io_uring_enter syscalls on non-blocking path by @dreamlike-ocean in #16259
- Fix NioIoHandlerTest on macOS by @chrisvest in #16396
- LocalChannel: Remove dependency on SingleThreadEventExecutor by @normanmaurer in #16393
- Fix autoport fetching into the existing branch by @chrisvest in #16403
- HTTP2: Pass the correct number of arguments when logging goaway by @normanmaurer in #16392
- Revert "Fix autoport fetching into the existing branch" by @chrisvest in #16410
- Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO (#16280) by @chrisvest in #16401
- Fix autoport fetching into the existing branch - again by @chrisvest in #16411
- Fix typo in AbstractEpollChannel: 'inital' → 'initial' by @nikitanagar08 in #16415
- Capture why threads get stuck in testCopyMultipleThreads0 by @chrisvest in #16404
- Local transport: shutdown hook should call closeNow to be conistent with what LocalIoHandler will call by @normanmaurer in #16406
- Remove unnecessary array access in DefaultAttributeMap.orderedCopyOnInsert by @doom369 in #16386
- Whitelist JMH annotation processing in microbench module by @laosijikaichele in #16428
- Fire the QuicChannel datagram extension event before the channel becomes active by @vietj in #16425
- HTTP2: Ensure preface is flushed in all cases by @normanmaurer in #16407
- Support QuicheQuicSslEngine hostname identification algorithm. by @vietj in #16426
- Fix client_max_window_bits parameter handling in permessage-deflate extension by @nikitanagar08 in #16424
- Fix UnsupportedOperationException in readTrailingHeaders by @furkanvarol in #16412
- IoUring: Fix io_uring writev infinite loop on kernels without SENDMSG_ZC support by @dreamlike-ocean in #16438
- Kqueue: Correctly handle registrations by @normanmaurer in #16439
- Kqueue: C...