CVE-2026-33870 Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

[dependabot]

Bumps io.netty:netty-codec-http from 4.1.129.Final to 4.1.132.Final.

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.1.132.Final

Security

• CVE-2026-33871, HTTP/2 CONTINUATION Frame Flood Denial of Service
• CVE-2026-33870, HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

What's Changed

• Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry lo… by @​normanmaurer in netty/netty#16248
• Make RefCntOpenSslContext.deallocate more robust (#16253) by @​normanmaurer in netty/netty#16257
• Update to gcc for arm 10.3-2021.07 (#16255) by @​normanmaurer in netty/netty#16263
• HTTP2: Correctly account for padding when decompress by @​normanmaurer in netty/netty#16265
• Update JDK versions to latest patch releases (#16254) by @​normanmaurer in netty/netty#16267
• Backport 4.1: Automatic backporting workflow from 4.1 to 4.2 by @​github-actions[bot] in netty/netty#16274
• Backport 4.1: Backport PRs must be created with personal access tokens by @​chrisvest in netty/netty#16277
• Backport 4.1: Add more porting workflows by @​netty-project-bot in netty/netty#16284
• Backport 4.1: Some polishing of the porting workflows by @​netty-project-bot in netty/netty#16292
• Backport 4.1: Fix high-order bit aliasing in HttpUtil.validateToken by @​netty-project-bot in netty/netty#16303
• Auto-port 4.1: Support more branch freedom for auto-porting by @​netty-project-bot in netty/netty#16310
• fix: the precedence of + is higher than >> (#16312) by @​chrisvest in netty/netty#16316
• AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater th… by @​chrisvest in netty/netty#16320
• Auto-port 4.1: Fix flaky PooledByteBufAllocatorTest by @​netty-project-bot in netty/netty#16324
• Auto-port 4.1: Fix pooled arena accounting tests by @​netty-project-bot in netty/netty#16326
• Auto-port 4.1: Fix RunInFastThreadLocalThreadExtension by @​netty-project-bot in netty/netty#16328
• Auto-port 4.1: AdaptivePoolingAllocator: call unreserveMatchingBuddy(...) if byteBuf initialization failed by @​netty-project-bot in netty/netty#16331
• Auto-port 4.1: Mark LoggingHandlerTest with @​Isolated to fix flaky build by @​netty-project-bot in netty/netty#16340
• Auto-port 4.1: Fix flaky HTTP/2 test by @​netty-project-bot in netty/netty#16348
• Auto-port 4.1: Fix flaky RenegotiateTest by @​netty-project-bot in netty/netty#16355
• Auto-port 4.1: Fix HTTP/2 push frame test by @​netty-project-bot in netty/netty#16353
• SSL test: Don't depend on property value in test (#16346) by @​normanmaurer in netty/netty#16362
• Auto-port 4.1: Don't assume CertificateFactory is thread-safe by @​netty-project-bot in netty/netty#16364
• AdaptivePoolingAllocator: assign a more explicit value to BuddyChunk.freeListCapacity (#16334) by @​chrisvest in netty/netty#16368
• Auto-port 4.1: Add more diagnostic points to PooledByteBufAllocatorTest.createNewThr… by @​netty-project-bot in netty/netty#16372
• Fix leak in SniHandlerTest (#16367) by @​normanmaurer in netty/netty#16377
• Auto-port 4.1: Stabilize AbstractByteBufTest.testBytesInArrayMultipleThreads by @​netty-project-bot in netty/netty#16373
• Remove reference counting from size classed chunks (#16306) by @​chrisvest in netty/netty#16379
• Auto-port 4.1: Stabilize AbstractByteBufTest.testToStringMultipleThreads by @​netty-project-bot in netty/netty#16384
• Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO… by @​samlandfried in netty/netty#16280
• Auto-port 4.1: Fix autoport fetching into the existing branch - again by @​netty-project-bot in netty/netty#16417
• Auto-port 4.1: Capture why threads get stuck in testCopyMultipleThreads0 by @​netty-project-bot in netty/netty#16419
• Auto-port 4.1: Remove unnecessary array access in DefaultAttributeMap.orderedCopyOnInsert by @​netty-project-bot in netty/netty#16421
• Auto-port 4.1: Whitelist JMH annotation processing in microbench module by @​netty-project-bot in netty/netty#16430
• Auto-port 4.1: HTTP2: Ensure preface is flushed in all cases by @​netty-project-bot in netty/netty#16432
• Auto-port 4.1: Fix UnsupportedOperationException in readTrailingHeaders by @​netty-project-bot in netty/netty#16437
• Auto-port 4.1: Fix client_max_window_bits parameter handling in permessage-deflate extension by @​netty-project-bot in netty/netty#16435
• Auto-port 4.1: Native transports: Fix possible fd leak when fcntl fails. by @​netty-project-bot in netty/netty#16446
• Auto-port 4.1: Kqueue: Fix undefined behaviour when GetStringUTFChars fails and SO_ACCEPTFILTER is supported by @​netty-project-bot in netty/netty#16448
• Auto-port 4.1: Kqueue: Possible overflow when using netty_kqueue_bsdsocket_setAcceptFilter(...) by @​netty-project-bot in netty/netty#16459
• Auto-port 4.1: Native transports: Fix undefined behaviour when GetStringUTFChars fails while open FD by @​netty-project-bot in netty/netty#16456
• Auto-port 4.1: Epoll: Add null checks for safety reasons by @​netty-project-bot in netty/netty#16463
• Auto-port 4.1: DnsNameResolver: Skip test if we can not bind TCP and UDP to the same port by @​netty-project-bot in netty/netty#16464

... (truncated)

Commits

• ec119d4 [maven-release-plugin] prepare release netty-4.1.132.Final
• 60e53c9 Stricter HTTP/1.1 chunk extension parsing (#16537)
• 9f47a7b Limit the number of Continuation frames per HTTP2 Headers (#13969)
• 10c1603 Auto-port 4.1: JdkZlibDecoder: accumulate decompressed output before firing c...
• df65997 Epoll: setTcpMg5Sig(...) might overflow (#16511) (#16520)
• 692ec87 Auto-port 4.1: AdaptivePoolingAllocator: Fix assertion for size class multipl...
• 3ac3f37 Auto-port 4.1: AdaptivePoolingAllocator: remove ensureAccessible() call in ...
• 5a0072b Auto-port 4.1: Epoll: Fix support for IP_RECVORIGDSTADDR (#16468)
• 779fce7 Auto-port 4.1: Epoll: Use correct value to initialize mmsghdr.msg_namelen (#1...
• 56d84e1 Auto-port 4.1: DnsNameResolver: Skip test if we can not bind TCP and UDP to t...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.