netty/netty netty-4.2.11.Final

on GitHub

Security

• CVE-2026-33871, HTTP/2 CONTINUATION Frame Flood Denial of Service
• CVE-2026-33870, HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

What's Changed

• Update to latest JDK 26 EA release by @normanmaurer in #16230
• HTTP3: Allow to support non-standard HTTP3 settings by @normanmaurer in #16171
• Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop by @adwsingh in #16245
• Allocate one large segment and slice for each MsgHdrMemory by @dreamlike-ocean in #16234
• Make RefCntOpenSslContext.deallocate more robust by @chrisvest in #16253
• Epoll: Fix excessive CPU usage when Channel is only registered but no… by @normanmaurer in #16250
• Update to gcc for arm 10.3-2021.07 by @m1ngyuan in #16255
• Add acmeIdentifier extension support to pkitesting by @chrisvest in #16256
• Update JDK versions to latest patch releases by @m1ngyuan in #16254
• Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by @doom369 in #16241
• Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16269
• Revert "Automatic backporting workflow from 4.1 to 4.2" by @chrisvest in #16270
• HTTP2: Correctly account for padding when decompress by @normanmaurer in #16264
• Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16271
• Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16273
• Backport PRs must be created with personal access tokens by @chrisvest in #16276
• Expose QuicSslContextBuilder::sni by @ZeroErrors in #16178
• Add more porting workflows by @chrisvest in #16275
• Add more porting workflows by @chrisvest in #16283
• Remove the unpooled allocator from test permutations by @chrisvest in #16282
• Some polishing of the porting workflows by @chrisvest in #16288
• Allow to set destination connection id when creating a client side QuicheChannel by @normanmaurer in #16286
• Update to latest JDK26 EA build by @normanmaurer in #16295
• Add javadoc to clarify responsibility of the user when generating the remote connection id by @normanmaurer in #16293
• Make the build run faster by @chrisvest in #16290
• Fix IDE warnings in SslHandler by @doom369 in #16237
• Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by @doom369 in #16242
• Support boringssl SSLCredential API by @jmcrawford45 in #15919
• Fix high-order bit aliasing in HttpUtil.validateToken by @furkanvarol in #16279
• Improve multi-byte access performance when UNALIGNED availability is unknown by @Songdoeon in #16207
• Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by @doom369 in #16278
• Support more branch freedom for auto-porting by @chrisvest in #16300
• fix: the precedence of + is higher than >> by @cuiweixie in #16312
• AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by @laosijikaichele in #16309
• Fix flaky PooledByteBufAllocatorTest by @chrisvest in #16313
• Fix pooled arena accounting tests by @chrisvest in #16321
• Fix RunInFastThreadLocalThreadExtension by @chrisvest in #16314
• AdaptivePoolingAllocator: call unreserveMatchingBuddy(...) if byteBuf initialization failed by @laosijikaichele in #16327
• Recycler should not use thread locals unless they get cleaned up by @chrisvest in #16315
• OpenSSL: Don't leak OpenSslKeyManagerProvider on exception by @normanmaurer in #16337
• IoUring: Only complete deregistration promise once we received all co… by @normanmaurer in #16330
• Mark LoggingHandlerTest with @isolated to fix flaky build by @normanmaurer in #16338
• Fix flaky HTTP/2 test by @chrisvest in #16342
• Fix HTTP/2 push frame test by @chrisvest in #16343
• Fix flaky RenegotiateTest by @chrisvest in #16351
• IoUring: Don't use RDHUP for non stream Channel implementations by @normanmaurer in #16345
• SSL test: Don't depend on property value in test by @normanmaurer in #16346
• Fix flaky AbstractSingleThreadEventLoopTest by @chrisvest in #16352
• Use headers.setInt() in HttpObjectAggregator instead of set() and use concrete version of String.valueOf in CharSequenceValueConverter by @doom369 in #16239
• IoUring: Fix buffer leak in DatagramChannel implementation when recv … by @normanmaurer in #16359
• Don't assume CertificateFactory is thread-safe by @chrisvest in #16350
• AdaptivePoolingAllocator: assign a more explicit value to BuddyChunk.freeListCapacity by @laosijikaichele in #16334
• Fix leak in SniHandlerTest by @chrisvest in #16367
• Add more diagnostic points to PooledByteBufAllocatorTest.createNewThr… by @chrisvest in #16365
• Stabilize AbstractByteBufTest.testBytesInArrayMultipleThreads by @chrisvest in #16370
• Avoid unnecessary Long.toString() allocation in HttpObjectDecoder by @doom369 in #16344
• Remove reference counting from size classed chunks by @franz1981 in #16306
• Stabilize AbstractByteBufTest.testToStringMultipleThreads by @chrisvest in #16380
• Swap conditions to avoid native calls in ReferenceCountedOpenSslEngine.rejectRemoteInitiatedRenegotiation by @doom369 in #16389
• Remove duplicated contains calls in WebSockets by @doom369 in #16388
• IoUring: Reduce unnecessary io_uring_enter syscalls on non-blocking path by @dreamlike-ocean in #16259
• Fix NioIoHandlerTest on macOS by @chrisvest in #16396
• LocalChannel: Remove dependency on SingleThreadEventExecutor by @normanmaurer in #16393
• Fix autoport fetching into the existing branch by @chrisvest in #16403
• HTTP2: Pass the correct number of arguments when logging goaway by @normanmaurer in #16392
• Revert "Fix autoport fetching into the existing branch" by @chrisvest in #16410
• Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO (#16280) by @chrisvest in #16401
• Fix autoport fetching into the existing branch - again by @chrisvest in #16411
• Fix typo in AbstractEpollChannel: 'inital' → 'initial' by @nikitanagar08 in #16415
• Capture why threads get stuck in testCopyMultipleThreads0 by @chrisvest in #16404
• Local transport: shutdown hook should call closeNow to be conistent with what LocalIoHandler will call by @normanmaurer in #16406
• Remove unnecessary array access in DefaultAttributeMap.orderedCopyOnInsert by @doom369 in #16386
• Whitelist JMH annotation processing in microbench module by @laosijikaichele in #16428
• Fire the QuicChannel datagram extension event before the channel becomes active by @vietj in #16425
• HTTP2: Ensure preface is flushed in all cases by @normanmaurer in #16407
• Support QuicheQuicSslEngine hostname identification algorithm. by @vietj in #16426
• Fix client_max_window_bits parameter handling in permessage-deflate extension by @nikitanagar08 in #16424
• Fix UnsupportedOperationException in readTrailingHeaders by @furkanvarol in #16412
• IoUring: Fix io_uring writev infinite loop on kernels without SENDMSG_ZC support by @dreamlike-ocean in #16438
• Kqueue: Correctly handle registrations by @normanmaurer in #16439
• Kqueue: Correctly use KqueueIoOps.data() when update change list by @normanmaurer in #16440
• Native transports: Fix possible fd leak when fcntl fails. by @normanmaurer in #16442
• Kqueue: Fix undefined behaviour when GetStringUTFChars fails and SO_ACCEPTFILTER is supported by @normanmaurer in #16441
• AbstractByteBuf._internalNioBuffer() might throw exception by @normanmaurer in #16423
• Native transports: Fix undefined behaviour when GetStringUTFChars fails while open FD by @normanmaurer in #16450
• Kqueue: Possible overflow when using netty_kqueue_bsdsocket_setAcceptFilter(...) by @normanmaurer in #16451
• Epoll: Add null checks for safety reasons by @normanmaurer in #16454
• DnsNameResolver: Skip test if we can not bind TCP and UDP to the same port by @normanmaurer in #16455
• Epoll: Use correct value to initialize mmsghdr.msg_namelen by @normanmaurer in #16460
• Epoll: Fix support for IP_RECVORIGDSTADDR by @normanmaurer in #16461
• Make unpooled buffers avoid shared arenas by @chrisvest in #16443
• Kqueue: Add testsuite on macOS during PR validation by @normanmaurer in #15159
• AdaptivePoolingAllocator: remove ensureAccessible() call in capacity(int) method by @laosijikaichele in #16473
• Epoll: Remove outdated docs about usage of edge-triggered by @normanmaurer in #16478
• IoUring: Correctly unregister native functions on OnLoad failure by @normanmaurer in #16487
• QUIC: Correctly handle selection of alpn protos by @normanmaurer in #16484
• QUIC: Correctly handle malloc errors during ssl context creation by @normanmaurer in #16483
• QUIC: Don'l leak memory when context is detroyed by @normanmaurer in #16481
• Quic: Fix global reference leak by @normanmaurer in #16480
• Log value of io.netty.ignoreExpensiveClean property during initialization by @normanmaurer in #16479
• Cleanup: Fix typo in method name by @normanmaurer in #16477
• AdaptivePoolingAllocator: Fix assertion for size class multiple of 32 by @laosijikaichele in #16474
• ByteBufAllocatorAllocPatternBenchmark: Fix case sensitivity in benchmark method name check by @laosijikaichele in #16482
• Avoid unpooled allocator in CloseWebSocketFrame by @Munoon in #16486
• IoUring: Correctly handle the case when malloc fails during probe by @normanmaurer in #16501
• IoUring: Correctly unload native stuff by @normanmaurer in #16502
• IoUring: Use correct errno value in exception by @normanmaurer in #16500
• IoUring: Use more correct bitmask check by @normanmaurer in #16507
• IoUring: Correctly handle return value of sys_io_uring_register(...) while register und unregister buffer ring by @normanmaurer in #16508
• IoUring: Add NULL check for GetStringUTFChars(...) by @normanmaurer in #16509
• Reduce allocations in WebSocketServerHandshaker13 by @doom369 in #16505
• Epoll / IoUring: setTcpMg5Sig(...) might overflow by @normanmaurer in #16511
• Fix docker image for cross-compiling by @normanmaurer in #16522
• Replace ClosedChannelException with StacklessClosedChannelException by @Munoon in #16506
• Allocate less in QueryStringDecoder.addParam for typical use case by @doom369 in #16527
• Enforce io.netty.maxDirectMemory accounting on all Java versions by @j-bahr in #16489
• JdkZlibDecoder: accumulate decompressed output before firing channelRead by @franz1981 in #16510
• Eliminate redundant bounds checks in CompositeByteBuf accessors by @franz1981 in #16525
• Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers by @netty-project-bot in #16536

New Contributors

• @jmcrawford45 made their first contribution in #15919
• @furkanvarol made their first contribution in #16279
• @Songdoeon made their first contribution in #16207
• @cuiweixie made their first contribution in #16312
• @nikitanagar08 made their first contribution in #16415

Full Changelog: netty-4.2.10.Final...netty-4.2.11.Final