==========================================================================
Ubuntu Security Notice USN-8401-1
June 08, 2026

netty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Netty.

Software Description:
- netty: event-driven asynchronous network application framework

Details:

It was discovered that Netty's HTTP proxy handler did not properly
validate headers when constructing CONNECT requests. An
attacker could possibly use this issue to inject arbitrary HTTP
headers into CONNECT requests. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 26.04 LTS. (CVE-2026-42578)

It was discovered that Netty's DNS codec did not properly enforce
domain name constraints. An attacker could possibly use this issue to
bypass domain name validation, or cause Netty to consume resources,
leading to a denial of service. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42579)

It was discovered that Netty did not correctly handle HTTP/1.0
requests containing both a Transfer-Encoding and Content-Length
header. A remote attacker could possibly use this issue to perform
HTTP request smuggling attacks. (CVE-2026-42581)

Violeta Georgieva discovered that Netty incorrectly paired responses with
requests when handling informational HTTP responses. A remote attacker
could possibly use this issue to perform HTTP request smuggling attacks.
(CVE-2026-42584)

Violeta Georgieva discovered that Netty incorrectly parsed malformed
Transfer-Encoding headers. A remote attacker could possibly use this
issue to perform HTTP request smuggling attacks. (CVE-2026-42585)

It was discovered that Netty's Redis encoder did not validate CRLF
characters. An attacker could possibly use this issue to inject arbitrary
Redis commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS.
(CVE-2026-42586)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  libnetty-java                   1:4.1.48-16ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 24.04 LTS
  libnetty-java                   1:4.1.48-9ubuntu0.1+esm3
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  libnetty-java                   1:4.1.48-4+deb11u2ubuntu0.1+esm3
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  libnetty-java                   1:4.1.45-1ubuntu0.1~esm6
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libnetty-java                   1:4.1.7-4ubuntu0.1+esm6
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libnetty-java                   1:4.0.34-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  libnetty-java                   1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8401-1
  CVE-2026-42578, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584,
  CVE-2026-42585, CVE-2026-42586

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to