Home / mailings [USN-8401-1] Netty vulnerabilities
Posted on 08 June 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8401-1
June 08, 2026
netty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Netty.
Software Description:
- netty: event-driven asynchronous network application framework
Details:
It was discovered that Netty's HTTP proxy handler did not properly
validate headers when constructing CONNECT requests. An
attacker could possibly use this issue to inject arbitrary HTTP
headers into CONNECT requests. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 26.04 LTS. (CVE-2026-42578)
It was discovered that Netty's DNS codec did not properly enforce
domain name constraints. An attacker could possibly use this issue to
bypass domain name validation, or cause Netty to consume resources,
leading to a denial of service. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42579)
It was discovered that Netty did not correctly handle HTTP/1.0
requests containing both a Transfer-Encoding and Content-Length
header. A remote attacker could possibly use this issue to perform
HTTP request smuggling attacks. (CVE-2026-42581)
Violeta Georgieva discovered that Netty incorrectly paired responses with
requests when handling informational HTTP responses. A remote attacker
could possibly use this issue to perform HTTP request smuggling attacks.
(CVE-2026-42584)
Violeta Georgieva discovered that Netty incorrectly parsed malformed
Transfer-Encoding headers. A remote attacker could possibly use this
issue to perform HTTP request smuggling attacks. (CVE-2026-42585)
It was discovered that Netty's Redis encoder did not validate CRLF
characters. An attacker could possibly use this issue to inject arbitrary
Redis commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42586)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libnetty-java 1:4.1.48-16ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 24.04 LTS
libnetty-java 1:4.1.48-9ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libnetty-java 1:4.1.48-4+deb11u2ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libnetty-java 1:4.1.45-1ubuntu0.1~esm6
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libnetty-java 1:4.1.7-4ubuntu0.1+esm6
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libnetty-java 1:4.0.34-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libnetty-java 1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8401-1
CVE-2026-42578, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584,
CVE-2026-42585, CVE-2026-42586
--===============5504484343834370304==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
