FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by schiemon · Pull Request #16837 · netty/netty

schiemon · 2026-05-20T18:00:53Z

Motivation

FlowControlHandler has two problems related to read completions:

Assume autoRead == false and FlowControlHandler has already queued two messages from upstream. If a downstream handler calls read(), FlowControlHandler serves that read with the first queued message. Since the queue is still not empty, FlowControlHandler does not fire channelReadComplete.

Because allowRead == false, no further messages are delivered downstream until the downstream handler calls read() again. A downstream handler that waits for channelReadComplete before issuing the next read() may therefore stall.
Assume FlowControlHandler has just emptied its queue and correctly fired channelRead followed by channelReadComplete. If FlowControlHandler then receives one or more channelReadComplete events from upstream, it currently relays all of them downstream, resulting in duplicate channelReadComplete events. This is unexpected because, from the perspective of downstream handlers, there are no further read operations in progress.

To solve problem 1., we want to ensure that with autoRead == false, FlowControlHandler fires channelReadComplete after dequeueing a message for a downstream read(), even if the queue is not empty. This, however, needs to be done carefully as the read() can be reentered after fireChannelRead(...).

To solve problem 2., we want to ensure that FlowControlHandler does not pass through upstream channelReadComplete events by default. The only case where it needs to relay such an event is when there are one or more downstream reads for which we did not fire a message yet.

Modification

FlowControlHandler now tracks unsatisfied downstream read() calls in activeReads. A read is unsatisfied if it has not yet resulted in a downstream fireChannelRead(...).

Based on this state, read(), channelRead(...), and channelReadComplete(...) were adapted to match the target behavior. dequeue() is no longer responsible for firing channelReadComplete.

Testing

FlowControlHandlerTest: added tests covering the new read-completion behavior and related edge cases.
HttpContentDecompressorTest: added a reproducer for FlowControlHandler and HttpContentDecompressor do not play nicely together #15053.

Result

FlowControlHandler now:

fires channelReadComplete after dequeueing one ore more messages given there are no further unsatisfied read() calls, even if the queue is not empty (solving Problem 1);
refires an upstream channelReadComplete only for empty reads, i.e. when upstream completes a read without producing a channelRead (solving Problem 2, fixing FlowControlHandler and HttpContentDecompressor do not play nicely together #15053).

normanmaurer · 2026-05-22T14:04:16Z

@schiemon let us know once this is ready for review ... Also did you sign the ICLA ? https://netty.io/s/icla

schiemon · 2026-05-23T15:13:43Z

@normanmaurer

let us know once this is ready for review

No worries, I will 👍

Also did you sign the ICLA ?

done

schiemon · 2026-05-23T15:47:18Z

netty/handler/src/main/java/io/netty/handler/flow/FlowControlHandler.java

Lines 204 to 214 in b022b47

    
           // We're firing a completion event every time one (or more) 
        
           // messages were consumed and the queue ended up being drained 
        
           // to an empty state. 
        
           if (queue != null && queue.isEmpty()) { 
        
               queue.recycle(); 
        
               queue = null; 
        
               if (consumed > 0) { 
        
                   ctx.fireChannelReadComplete(); 
        
               } 
        
           }

Conditioning on the empty queue seems wrong to me: if autoRead is false and we queued multiple messages and just read one of them, downstream does not get a channelReadComplete from it. Thus, downstream may think the read operation is still pending and that it receives further channelReads. This could lead to stalling.
From what I see, we need to send a channelReadComplete for every read/ coalesced reads - regardless whether the queue is empty or not. @normanmaurer can you tell me what I am missing here?

netty/transport/src/main/java/io/netty/channel/ChannelInboundHandler.java

Lines 50 to 56 in 6e1bd0f

    
               /** 
        
                * Invoked when the last message read by the current read operation has been consumed by 
        
                * {@link #channelRead(ChannelHandlerContext, Object)}.  If {@link ChannelOption#AUTO_READ} is off, no further 
        
                * attempt to read an inbound data from the current {@link Channel} will be made until 
        
                * {@link ChannelHandlerContext#read()} is called. 
        
                */ 
        
               void channelReadComplete(ChannelHandlerContext ctx) throws Exception;

schiemon · 2026-05-23T15:51:45Z

netty/handler/src/main/java/io/netty/handler/flow/FlowControlHandler.java

Lines 166 to 175 in b022b47

    
           @Override 
        
           public void channelReadComplete(ChannelHandlerContext ctx) throws Exception { 
        
               if (isQueueEmpty()) { 
        
                   ctx.fireChannelReadComplete(); 
        
               } else { 
        
                   // Don't relay completion events from upstream as they 
        
                   // make no sense in this context. See dequeue() where 
        
                   // a new set of completion events is being produced. 
        
               } 
        
           }

From what I understand, we shouldn't pass-through channelReadCompletes at all, except to complete an immediately preceding read (an empty read). channelReadCompletes from FCHs upstream should not be of interest to FCHs downstream.

schiemon · 2026-05-24T17:43:25Z

@normanmaurer The PR is now ready for review, assuming I am not horribly wrong on the two points above

normanmaurer

Generally looks good to me... just a few nits .

normanmaurer · 2026-05-28T12:29:15Z

@yawkat @chrisvest PTAL

Motivation: `FlowControlHandler` has two problems related to read completions: 1. Assume `autoRead == false` and `FlowControlHandler` has already queued two messages from upstream. If a downstream handler calls `read()`, `FlowControlHandler` serves that read with the first queued message. Since the queue is still not empty, `FlowControlHandler` does not fire `channelReadComplete`. Because `allowRead == false`, no further messages are delivered downstream until the downstream handler calls `read()` again. A downstream handler that waits for `channelReadComplete` before issuing the next `read()` may therefore stall. 2. Assume `FlowControlHandler` has just emptied its queue and correctly fired `channelRead` followed by `channelReadComplete`. If `FlowControlHandler` then receives one or more `channelReadComplete` events from upstream, it currently relays all of them downstream, resulting in duplicate `channelReadComplete` events. This is unexpected because, from the perspective of downstream handlers, there are no further read operations in progress. To solve problem 1., we want to ensure that with `autoRead == false`, `FlowControlHandler` fires `channelReadComplete` after `dequeue`ing a message for a downstream `read()`, even if the queue is not empty. This, however, needs to be done carefully as the `read()` can be reentered after `fireChannelRead(...)`. To solve problem 2., we want to ensure that `FlowControlHandler` does not pass through upstream `channelReadComplete` events by default. The only case where it needs to relay such an event is when there are one or more downstream `read`s for which we did not fire a message yet. Modification: `FlowControlHandler` now tracks unsatisfied downstream `read()` calls in `activeReads`. A read is unsatisfied if it has not yet resulted in a downstream `fireChannelRead(...)`. Based on this state, `read()`, `channelRead(...)`, and `channelReadComplete(...)` were adapted to match the target behavior. `dequeue()` is no longer responsible for firing `channelReadComplete`. Testing: - `FlowControlHandlerTest`: added tests covering the new read-completion behavior and related edge cases. - `HttpContentDecompressorTest`: added a reproducer for netty#15053. Result: `FlowControlHandler` now: - fires `channelReadComplete` after `dequeue`ing one ore more messages given there are no further unsatisfied `read()` calls, even if the queue is not empty (solving Problem 1); - refires an upstream `channelReadComplete` only for empty reads, i.e. when upstream completes a read without producing a `channelRead` (solving Problem 2, fixing netty#15053).

chrisvest

Actually this changes the behavior when auto-read is on the whole time.

It's not really clear to me how it should work, but my instinct is that with autoRead=true the FlowControlHandler should behave as if it isn't there.

If that's the case, then both the old code, and this PR, fails:

    @Test
    public void testAutoReadWithBatchOfChannelReadAndReadComplete() throws Exception {
        final AtomicInteger reads = new AtomicInteger();
        final AtomicInteger readCompletes = new AtomicInteger();
        final EmbeddedChannel channel = new EmbeddedChannel(
                false, false,
                new FlowControlHandler(), // XXX comment out, and the test passes
                new ChannelInboundHandlerAdapter() {
                    @Override
                    public void channelRead(ChannelHandlerContext ctx, Object msg) {
                        reads.incrementAndGet();
                    }

                    @Override
                    public void channelReadComplete(ChannelHandlerContext ctx) {
                        readCompletes.incrementAndGet();
                    }
                });

        assertTrue(channel.config().isAutoRead());
        channel.register();

        // Issue a batch of reads, e.g. from ByteToMessageDecoder, or a busy inbound connection
        channel.writeOneInbound("msg1").syncUninterruptibly();
        channel.writeOneInbound("msg2").syncUninterruptibly();
        channel.writeOneInbound("msg3").syncUninterruptibly();

        // All three messages must arrive before channelReadComplete signals end-of-batch.
        assertEquals(3, reads.get());
        assertEquals(0, readCompletes.get()); // XXX this PR: 1, previously: 3

        // Signal end of read batch, which implies fireChannelReadComlete().
        channel.flushInbound();

        assertEquals(3, reads.get());
        assertEquals(1, readCompletes.get());

        assertFalse(channel.finishAndReleaseAll());
    }

Not sure if this is really a regression in this PR, or more of an opportunity for a follow-up PR.

schiemon · 2026-05-30T15:36:21Z

Thanks for looking into this, @chrisvest.

It's not really clear to me how it should work, but my instinct is that with autoRead=true the FlowControlHandler should behave as if it isn't there.

This is also what I would expect, so it is indeed a bug. The issue is also present in the pre-PR version of the handler. I pushed a new commit that fixes this, and I think it makes sense to include the fix in this PR already.

chrisvest

Spotted a confusing comment but the rest looks good.

Motivation: The current implementation still has two problems: 1. The handling of auto-read and self-triggered channelReadComplete events is hidden inside helper methods, making the control flow harder to follow and reason about. 2. When auto-read is enabled, FlowControlHandler should behave as if it is not present in the pipeline. However, the current implementation violates this contract: 1. read() does not always delegate to ctx.read() when auto-read is enabled. 2. channelReadComplete() does not always propagate channelReadComplete when auto-read is enabled. 3. When all reads are satisfied, FlowControlHandler may self-fire channelReadComplete even though it needs to wait for upstream firing channelReadComplete when auto-read is enabled. Modification: 1. Moved auto-read handling into the top-level control flow, making case-handling explicit. 2. Fixed all cases where FlowControlHandler deviated from transparent behavior when auto-read is enabled. Result: 1. With auto-read enabled, FlowControlHandler now behaves transparently and preserves the expected channelReadComplete propagation semantics. 2. The control flow is easier to understand and reason about.

netty-project-bot · 2026-06-01T17:43:21Z

Could not create auto-port PR.
Got conflicts when cherry-picking onto 5.0.

netty-project-bot · 2026-06-01T19:22:13Z

Could not create auto-port PR.
Got conflicts when cherry-picking onto 4.1.

chrisvest · 2026-06-04T19:56:57Z

4.1 backport: #16912

chrisvest · 2026-06-04T20:48:33Z

Port to 5.0: #16914

### What changes were proposed in this pull request? This PR aims to upgrade `Netty` to 4.2.15.Final. ### Why are the changes needed? To bring the latest bug fixes: - https://netty.io/news/2026/06/01/4-2-15-Final.html - [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in io.netty:netty-codec-haproxy (high). - [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in io.netty:netty-codec-http2. - [CVE-2026-XXXXX](GHSA-5w86-c3rq-vjj7): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-XXXXX](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in io.netty:netty-codec-classes-quic. - [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in io.netty:netty-handler (high). - [CVE-2026-XXXXX](GHSA-hvcg-qmg6-jm4c): request smuggling in io.netty:netty-codec-http. - [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in io.netty:netty-codec-haproxy (high). - [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in io.netty:netty-codec-classes-quic (high). - [CVE-2026-XXXXX](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in io.netty:netty-handler (high). - [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in io.netty:netty-resolver-dns. - [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in io.netty:netty-handler (high). - [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue. - [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in io.netty:netty-resolver-dns (high). - [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in io.netty:netty-transport-sctp (high). - [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in io.netty:netty-codec-http2. - [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in io.netty:netty-codec-redis (high). - [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in io.netty:netty-codec-http3 (high). - [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in io.netty:netty-codec-http2. - Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup [#16836](netty/netty#16836) - HTTP/2: Parse request-target path like Vert.x [#16810](netty/netty#16810) - ChannelInitializer: correct misleading comment on exceptionCaught route [#16853](netty/netty#16853) - FlowControlHandler: Suppress duplicate channelReadComplete after draining queue [#16837](netty/netty#16837) - Pass maxAllocation to Brotli and Zstd decoders [#16844](netty/netty#16844) - Add maxWindowLog parameter to ZstdDecoder to bound memory allocation [#16850](netty/netty#16850) - MQTT: Reject malformed no-payload packets with non-zero Remaining Length [#16890](netty/netty#16890) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.8 Closes #700 from dongjoon-hyun/SPARK-57272. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>

- #16881 - #16876 - #16866 - #16870 - #16837 - #16858 - #16882 - #16893 --------- Co-authored-by: Norman Maurer <[email protected]> Co-authored-by: Violeta Georgieva <[email protected]> Co-authored-by: Szymon Habrainski <[email protected]>

…ip ci] Bumps `netty.version` from 4.2.14.Final to 4.2.15.Final. Updates `io.netty:netty-transport` from 4.2.14.Final to 4.2.15.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.14.Final to 4.2.15.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.15.Final > ------------------ > > Security fixes > -------------- > > * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`. > * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`. > * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high). > * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`. > * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high). > * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high). > * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high). > * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`. > * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high). > * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`. > * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high). > * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high). > * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`. > * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high). > * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high). > * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`. > > What's Changed > -------------- > > * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836) > * HTTP/2: Parse request-target path like Vert.x by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810) > * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853) > * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * Pass maxAllocation to Brotli and Zstd decoders by [`@fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > * Fix revapi warnings by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885) > * Fix SCTP and Redis tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893) > * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850) > * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890) > > New Contributors > ---------------- > > * [`@schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837) > * [`@fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844) > > **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final> Commits * [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final * [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain... * [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850)) * [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893)) * [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885)) * [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844)) * [`541add0`](netty/netty@541add0) Merge commit from fork * [`270800e`](netty/netty@270800e) Merge commit from fork * [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork * [`75127ca`](netty/netty@75127ca) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final) [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=io.netty:netty-all&package-manager=maven&previous-version=4.2.14.Final&new-version=4.2.15.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from c6a0e73 to a0f75a9 Compare May 23, 2026 15:12

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch 3 times, most recently from 6190b85 to ff632dd Compare May 24, 2026 17:41

schiemon marked this pull request as ready for review May 24, 2026 17:42

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from 1ccc9a2 to 08ec40a Compare May 27, 2026 06:10

normanmaurer requested changes May 28, 2026

View reviewed changes

Comment thread handler/src/test/java/io/netty/handler/flow/FlowControlHandlerTest.java

Comment thread handler/src/test/java/io/netty/handler/flow/FlowControlHandlerTest.java

Comment thread handler/src/test/java/io/netty/handler/flow/FlowControlHandlerTest.java Outdated

normanmaurer requested review from chrisvest and yawkat May 28, 2026 12:29

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch 2 times, most recently from 991bb85 to 0dc0880 Compare May 28, 2026 14:05

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from 0dc0880 to 25ca14c Compare May 28, 2026 14:16

chrisvest approved these changes May 29, 2026

View reviewed changes

chrisvest reviewed May 29, 2026

View reviewed changes

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from 4e95b86 to 601ff20 Compare May 30, 2026 15:37

chrisvest reviewed May 30, 2026

View reviewed changes

Comment thread handler/src/test/java/io/netty/handler/flow/FlowControlHandlerTest.java Outdated

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from 601ff20 to 029bab0 Compare May 31, 2026 07:59

chrisvest approved these changes May 31, 2026

View reviewed changes

chrisvest added this to the 4.2.15.Final milestone May 31, 2026

chrisvest added needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. labels May 31, 2026

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from 029bab0 to e4fcabf Compare June 1, 2026 07:21

schiemon force-pushed the issue-15053-flowcontrol-decompressor-reproducer branch from e4fcabf to b58d550 Compare June 1, 2026 07:34

normanmaurer merged commit 79fc9a4 into netty:4.2 Jun 1, 2026
18 of 19 checks passed

chrisvest removed the needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. label Jun 4, 2026

chrisvest mentioned this pull request Jun 4, 2026

Forward port multiple security fixes to 5.0 #16914

Merged

chrisvest removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 4, 2026

dongjoon-hyun mentioned this pull request Jun 4, 2026

[SPARK-57272] Upgrade Netty to 4.2.15.Final apache/spark-kubernetes-operator#700

Closed

Uh oh!

Conversation

schiemon commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Motivation

Modification

Testing

Result

Uh oh!

normanmaurer commented May 22, 2026

Uh oh!

schiemon commented May 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

schiemon commented May 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

schiemon commented May 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

schiemon commented May 24, 2026

Uh oh!

normanmaurer left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

normanmaurer commented May 28, 2026

Uh oh!

chrisvest left a comment

Choose a reason for hiding this comment

Uh oh!

schiemon commented May 30, 2026

Uh oh!

chrisvest left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

netty-project-bot commented Jun 1, 2026

Uh oh!

netty-project-bot commented Jun 1, 2026

Uh oh!

chrisvest commented Jun 4, 2026

Uh oh!

chrisvest commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

schiemon commented May 20, 2026 •

edited

Loading

schiemon commented May 23, 2026 •

edited

Loading

schiemon commented May 23, 2026 •

edited

Loading

schiemon commented May 23, 2026 •

edited

Loading