Skip to content

Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup#16836

Merged
normanmaurer merged 5 commits into
netty:4.2from
dreamlike-ocean:fix_eventfd_race
May 21, 2026
Merged

Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup#16836
normanmaurer merged 5 commits into
netty:4.2from
dreamlike-ocean:fix_eventfd_race

Conversation

@dreamlike-ocean
Copy link
Copy Markdown
Contributor

@dreamlike-ocean dreamlike-ocean commented May 20, 2026

Motivation:

Fixes a shutdown race in the io_uring transport where wakeup() can write to an eventfd after it has already been closed.

The race looks like this:

Thread T1 (non-eventloop)            Eventloop thread
-------------------------            ----------------
wakeup()
  getAndSet(true) -> false
  flag = true
  [preempted before eventfd_write]

                                     prepareToDestroy()
                                       eventfd_write(1)
                                       submitAndGet()
                                       processCompletionsAndHandleOverflow(...)
                                     handleEventFdRead()
                                       if (!eventFdClosing) {
                                         flag = false
                                       }

                                     destroy()
                                       drainEventFd()
                                         flag.getAndSet(true) -> false
                                         concludes "no pending wakeup"

                                     completeRingClose()
                                       close(eventfd)

T1 resumes
  eventfd_write(eventfd)
  -> EBADF

I also considered setting eventFdClosing earlier, but that changes a different part of the eventfd lifecycle. When eventFdClosing is set, handleEventFdRead() stops clearing eventfdAsyncNotify and stops submitting the next eventfd read:

handleEventFdRead()
  eventfdReadSubmitted = 0

  if (!eventFdClosing) {
      eventfdAsyncNotify = false
      submitEventFdRead()
  }

So if eventFdClosing is moved too early into prepareToDestroy(), shutdown can get stuck in this shape:

prepareToDestroy()
  eventFdClosing = true

eventfd read completion arrives
  handleEventFdRead()
    does not clear eventfdAsyncNotify
    does not submit another eventfd read

destroy()
  drainEventFd()
    sees eventfdAsyncNotify still true
    waits for an eventfd read completion that will not be submitted

Modification:

Add a small wakeup write gate around eventfd_write():

wakeup thread                         event-loop thread
-------------                         -----------------
reserve wakeup writer slot

eventfd_write(eventfd)

release wakeup writer slot
                                      close gate
                                      wait until writer count is 0
                                      close(eventfd)

If the close gate is already closed, wakeup() returns without writing to the eventfd. At that
point there is no event loop left to wake up, so dropping the wakeup is the correct behavior.

I intentionally did not add a larger eventfd state machine or more eventfd write states. The race does not require modeling the whole eventfd lifecycle.

This approach does add some extra atomic read/write overhead on the wakeup path. However, compared with the state-machine based alternative, it keeps the fix more easier to read about.

I did not add a normal unit test for this race because the problematic window is between the eventfdAsyncNotify state transition and the native eventfd_write() call, and there is no good deterministic way to force that interleaving without adding test-only control points to IoUringIoHandler.

Result:

Fixes #16716.

I verified the fix with a dedicated reproducer that pauses wakeup() in the race window: https://github.com/dreamlike-ocean/netty/tree/repro-16716-eventfd-race

The reproducer fails before this change with eventfd_write(...) failed: Bad file descriptor and passes after applying the fix.

I may not fully understand all the details of this race yet, please take a look together and help verify whether this fix is reasonable.
@franz1981 @normanmaurer @tsegismont

@franz1981
Copy link
Copy Markdown
Contributor

franz1981 commented May 20, 2026

We talked about this offline some time ago @dreamlike-ocean - so +1 from me!

franz1981
franz1981 approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@franz1981 franz1981 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, waiting on CI still

@normanmaurer
Copy link
Copy Markdown
Member

normanmaurer commented May 20, 2026

Is it possible to add a test ?

@dreamlike-ocean
Copy link
Copy Markdown
Contributor Author

dreamlike-ocean commented May 20, 2026
edited
Loading

Using JUnit’s test class shadowing behavior to shadow IoUringIoHandler during test compilation.
A Groovy script generates a test-scope copy of the real IoUringIoHandler source and injects a small hook before eventFdWrite(...), so the test can deterministically pause the wakeup path at the race window without changing orignal code. (I wish javac supported conditional compilation. Then I wouldn’t need to use Groovy for the shadow class.)

A new unit test is added to simulate the race between wakeup() and handler shutdown.
The test blocks a non-event-loop wakeup thread right before it writes to the eventfd, then lets the event loop destroy and close the eventfd, and finally releases the wakeup thread. This verifies that wakeup() does not write to a closed eventfd and avoids the EBADF failure

Is it possible to add a test ?

@dreamlike-ocean
Copy link
Copy Markdown
Contributor Author

dreamlike-ocean commented May 20, 2026

And the Java 9 setting here is just for the test shadow: generate-iouring-handler-shadow.groovy may copy code that uses Thread.onSpinWait()....

@dreamlike-ocean
Copy link
Copy Markdown
Contributor Author

dreamlike-ocean commented May 20, 2026

Looks like CI is not happy with the Groovy setup I used. I’m working on a fix.

@normanmaurer
Copy link
Copy Markdown
Member

normanmaurer commented May 20, 2026

@dreamlike-ocean if it is impossible to get the testing working just remove it..

@dreamlike-ocean
Revert "add ut"
86547ce 
This reverts commit d367bba.
@normanmaurer normanmaurer added this to the 4.2.14.Final milestone May 20, 2026
@normanmaurer normanmaurer added the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label May 20, 2026
@chrisvest chrisvest modified the milestones: 4.2.14.Final, 4.2.15.Final May 20, 2026
@normanmaurer normanmaurer merged commit b022b47 into netty:4.2 May 21, 2026
21 checks passed
@netty-project-bot
Copy link
Copy Markdown
Contributor

netty-project-bot commented May 21, 2026

Auto-port PR for 5.0: #16842

@netty-project-bot netty-project-bot mentioned this pull request May 21, 2026
Merged
@github-actions github-actions Bot removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label May 21, 2026
normanmaurer pushed a commit that referenced this pull request May 21, 2026
@netty-project-bot @dreamlike-ocean
Auto-port 5.0: Fix race in io.netty.channel.uring.IoUringIoHandler.wa…
ac59a89 
…keup (#16842)

Auto-port of #16836 to 5.0
Cherry-picked commit: b022b47

---
Motivation:

Fixes a shutdown race in the io_uring transport where `wakeup()` can
write to an eventfd after it has already been closed.

The race looks like this:

```text
Thread T1 (non-eventloop)            Eventloop thread
-------------------------            ----------------
wakeup()
  getAndSet(true) -> false
  flag = true
  [preempted before eventfd_write]

                                     prepareToDestroy()
                                       eventfd_write(1)
                                       submitAndGet()
                                       processCompletionsAndHandleOverflow(...)
                                     handleEventFdRead()
                                       if (!eventFdClosing) {
                                         flag = false
                                       }

                                     destroy()
                                       drainEventFd()
                                         flag.getAndSet(true) -> false
                                         concludes "no pending wakeup"

                                     completeRingClose()
                                       close(eventfd)

T1 resumes
  eventfd_write(eventfd)
  -> EBADF
```

I also considered setting `eventFdClosing` earlier, but that changes a
different part of the eventfd lifecycle. When `eventFdClosing` is set,
`handleEventFdRead()` stops clearing `eventfdAsyncNotify` and stops
submitting the next eventfd read:

```text
handleEventFdRead()
  eventfdReadSubmitted = 0

  if (!eventFdClosing) {
      eventfdAsyncNotify = false
      submitEventFdRead()
  }
```

So if `eventFdClosing` is moved too early into `prepareToDestroy()`,
shutdown can get stuck in this shape:

```text
prepareToDestroy()
  eventFdClosing = true

eventfd read completion arrives
  handleEventFdRead()
    does not clear eventfdAsyncNotify
    does not submit another eventfd read

destroy()
  drainEventFd()
    sees eventfdAsyncNotify still true
    waits for an eventfd read completion that will not be submitted
```


Modification:

Add a small wakeup write gate around `eventfd_write()`:

```text
wakeup thread                         event-loop thread
-------------                         -----------------
reserve wakeup writer slot

eventfd_write(eventfd)

release wakeup writer slot
                                      close gate
                                      wait until writer count is 0
                                      close(eventfd)
```

If the close gate is already closed, `wakeup()` returns without writing
to the eventfd. At that
point there is no event loop left to wake up, so dropping the wakeup is
the correct behavior.

I intentionally did not add a larger eventfd state machine or more
eventfd write states. The race does not require modeling the whole
eventfd lifecycle.

This approach does add some extra atomic read/write overhead on the
wakeup path. However, compared with the state-machine based alternative,
it keeps the fix more easier to read about.

I did not add a normal unit test for this race because the problematic
window is between the `eventfdAsyncNotify` state transition and the
native `eventfd_write()` call, and there is no good deterministic way to
force that interleaving without adding test-only control points to
`IoUringIoHandler`.

Result:

Fixes #16716.

I verified the fix with a dedicated reproducer that pauses `wakeup()` in
the race window:
https://github.com/dreamlike-ocean/netty/tree/repro-16716-eventfd-race

The reproducer fails before this change with `eventfd_write(...) failed:
Bad file descriptor` and passes after applying the fix.

I may not fully understand all the details of this race yet, please take
a look together and help verify whether this fix is reasonable.
@franz1981 @normanmaurer @tsegismont

Co-authored-by: Mengyang Li <[email protected]>
@dongjoon-hyun dongjoon-hyun mentioned this pull request Jun 4, 2026
Closed
dongjoon-hyun added a commit to apache/spark-kubernetes-operator that referenced this pull request Jun 4, 2026
@dongjoon-hyun
[SPARK-57272] Upgrade Netty to 4.2.15.Final
ef978e0 
### What changes were proposed in this pull request?

This PR aims to upgrade `Netty` to 4.2.15.Final.

### Why are the changes needed?

To bring the latest bug fixes:

- https://netty.io/news/2026/06/01/4-2-15-Final.html
  - [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in io.netty:netty-codec-haproxy (high).
  - [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in io.netty:netty-resolver-dns (high).
  - [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in io.netty:netty-codec-http2.
  - [CVE-2026-XXXXX](GHSA-5w86-c3rq-vjj7): memory exhaustion in io.netty:netty-codec-redis (high).
  - [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in io.netty:netty-codec-redis (high).
  - [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in io.netty:netty-codec-redis (high).
  - [CVE-2026-XXXXX](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  - [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in io.netty:netty-handler (high).
  - [CVE-2026-XXXXX](GHSA-hvcg-qmg6-jm4c): request smuggling in io.netty:netty-codec-http.
  - [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in io.netty:netty-codec-http3 (high).
  - [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in io.netty:netty-codec-haproxy (high).
  - [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in io.netty:netty-codec-classes-quic (high).
  - [CVE-2026-XXXXX](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  - [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in io.netty:netty-resolver-dns.
  - [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  - [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  - [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in io.netty:netty-resolver-dns (high).
  - [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in io.netty:netty-transport-sctp (high).
  - [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in io.netty:netty-codec-http2.
  - [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in io.netty:netty-codec-redis (high).
  - [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in io.netty:netty-codec-http3 (high).
  - [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in io.netty:netty-codec-http2.
  - Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup [#16836](netty/netty#16836)
  - HTTP/2: Parse request-target path like Vert.x [#16810](netty/netty#16810)
  - ChannelInitializer: correct misleading comment on exceptionCaught route [#16853](netty/netty#16853)
  - FlowControlHandler: Suppress duplicate channelReadComplete after draining queue [#16837](netty/netty#16837)
  - Pass maxAllocation to Brotli and Zstd decoders [#16844](netty/netty#16844)
  - Add maxWindowLog parameter to ZstdDecoder to bound memory allocation [#16850](netty/netty#16850)
  - MQTT: Reject malformed no-payload packets with non-zero Remaining Length [#16890](netty/netty#16890)

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

Generated-by: Claude Opus 4.8

Closes #700 from dongjoon-hyun/SPARK-57272.

Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
mergify Bot added a commit to ArcadeData/arcadedb that referenced this pull request Jun 7, 2026
@mergify
chore(deps): bump netty.version from 4.2.14.Final to 4.2.15.Final [sk…
169f59a 
…ip ci]

Bumps `netty.version` from 4.2.14.Final to 4.2.15.Final.
Updates `io.netty:netty-transport` from 4.2.14.Final to 4.2.15.Final
Release notes

*Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final
Release notes

*Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final
Release notes

*Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify Bot added a commit to ArcadeData/arcadedb that referenced this pull request Jun 7, 2026
@mergify
chore(deps): bump io.netty:netty-all from 4.2.14.Final to 4.2.15.Fina…
f306abd 
…l [skip ci]

Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.14.Final to 4.2.15.Final.
Release notes

*Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=io.netty:netty-all&package-manager=maven&previous-version=4.2.14.Final&new-version=4.2.15.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@normanmaurer normanmaurer normanmaurer approved these changes

@franz1981 franz1981 franz1981 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.2.15.Final

Development

Successfully merging this pull request may close these issues.

ChannelException for Bad file descriptor thrown in IoUringIoHandler.wakeup

5 participants

@dreamlike-ocean @franz1981 @normanmaurer @netty-project-bot @chrisvest