Alerts This Week
Warning Icon 1 975
Alerts This Week
Warning Icon 1 975

Ubuntu Netty Critical HTTP Injection DoS Vulnerabilities USN-8401-1

ubuntu
Calendar Grey June 8, 2026
Dist Ubuntu Esm H88
Multiple critical issues fixed in Netty for Ubuntu affecting various LTS releases, including HTTP injection and DoS risks.
Several security issues were fixed in Netty.

Summary

Several security issues were fixed in Netty.

Software Description:

- netty: event-driven asynchronous network application framework

Details:

It was discovered that Netty's HTTP proxy handler did not properly

validate headers when constructing CONNECT requests. An

attacker could possibly use this issue to inject arbitrary HTTP

headers into CONNECT requests. This issue only affected Ubuntu

18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,

and Ubuntu 26.04 LTS. (CVE-2026-42578)

It was discovered that Netty's DNS codec did not properly enforce

domain name constraints. An attacker could possibly use this issue to

bypass domain name validation, or cause Netty to consume resources,

leading to a denial of service. This issue only affected Ubuntu 20.04

LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.

(CVE-2026-42579)

It was discovered that Netty did not correctly handle HTTP/1.0

requests containing both a Transfer-Encoding and Content-Length

header. A remot...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory critical DoS Ubuntu request smuggling http injection

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  libnetty-java                   1:4.1.48-16ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 24.04 LTS
  libnetty-java                   1:4.1.48-9ubuntu0.1+esm3
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  libnetty-java                   1:4.1.48-4+deb11u2ubuntu0.1+esm3
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  libnetty-java                   1:4.1.45-1ubuntu0.1~esm6
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libnetty-java                   1:4.1.7-4ubuntu0.1+esm6
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libnetty-java                   1:4.0.34-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  libnetty-java                   1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-8401-1

CVE-2026-42578, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584,

CVE-2026-42585, CVE-2026-42586

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8401-1

Topics%20covered

Topics Covered

security advisory critical DoS Ubuntu request smuggling http injection

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here