Ubuntu 26.04 Netty Key Security Update for Request Smuggling Flaws
Jun 08, 2026
•
LinuxSecurity Advisories
2 - 3 min read
Several security issues were fixed in Netty.
==========================================================================
Ubuntu Security Notice USN-8401-1
June 08, 2026
netty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Netty.
Software Description:
- netty: event-driven asynchronous network application framework
Details:
It was discovered that Netty's HTTP proxy handler did not properly
validate headers when constructing CONNECT requests. An
attacker could possibly use this issue to inject arbitrary HTTP
headers into CONNECT requests. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 26.04 LTS. (CVE-2026-42578)
It was discovered that Netty's DNS codec did not properly enforce
domain name constraints. An attacker could possibly use this issue to
bypass domain name validation, or cause Netty to consume resources,
leading to a denial of service. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42579)
It was discovered that Netty did not correctly handle HTTP/1.0
requests containing both a Transfer-Encoding and Content-Length
header. A remote attacker could possibly use this issue to perform
HTTP request smuggling attacks. (CVE-2026-42581)
Violeta Georgieva discovered that Netty incorrectly paired responses with
requests when handling informational HTTP responses. A remote attacker
could possibly use this issue to perform HTTP request smuggling attacks.
(CVE-2026-42584)
Violeta Georgieva discovered that Netty incorrectly parsed malformed
Transfer-Encoding headers. A remote attacker could possibly use this
issue to perform HTTP request smuggling attacks. (CVE-2026-42585)
It was discovered that Netty's Redis encoder did not validate CRLF
characters. An attacker could possibly use this issue to inject arbitrary
Redis commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42586)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libnetty-java 1:4.1.48-16ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 24.04 LTS
libnetty-java 1:4.1.48-9ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libnetty-java 1:4.1.48-4+deb11u2ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libnetty-java 1:4.1.45-1ubuntu0.1~esm6
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libnetty-java 1:4.1.7-4ubuntu0.1+esm6
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libnetty-java 1:4.0.34-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libnetty-java 1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8401-1
CVE-2026-42578, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584,
CVE-2026-42585, CVE-2026-42586
PREVIOUS
NEXT
Ubuntu 26.04 Netty Key Security Update for Request Smuggling Flaws
ubuntu
June 8, 2026
Several security issues were fixed in Netty.
Summary
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Netty. Software Description: - netty: event-driven asynchronous network application framework Details: It was discovered that Netty's HTTP proxy handler did not properly validate headers when constructing CONNECT requests. An attacker could possibly use this issue to inject arbitrary HTTP headers into CONNECT requests. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42578) It was discovered that Netty's DNS codec did not properly enforce domain name constraints. An attacker could possibly use this issue to bypass domain name validation, or cause Netty to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, Ub...
Read the Full AdvisoryUpdate Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libnetty-java 1:4.1.48-16ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 24.04 LTS libnetty-java 1:4.1.48-9ubuntu0.1+esm3 Available with Ubuntu Pro Ubuntu 22.04 LTS libnetty-java 1:4.1.48-4+deb11u2ubuntu0.1+esm3 Available with Ubuntu Pro Ubuntu 20.04 LTS libnetty-java 1:4.1.45-1ubuntu0.1~esm6 Available with Ubuntu Pro Ubuntu 18.04 LTS libnetty-java 1:4.1.7-4ubuntu0.1+esm6 Available with Ubuntu Pro Ubuntu 16.04 LTS libnetty-java 1:4.0.34-1ubuntu0.1~esm4 Available with Ubuntu Pro Ubuntu 14.04 LTS libnetty-java 1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-8401-1
CVE-2026-42578, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584,
CVE-2026-42585, CVE-2026-42586
Severity
important
Lowest
Low
Medium
High
Critical
Ubuntu Security Notice USN-8401-1
Package Information
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!