High and critical CVEs found on netty packages

[Poojitha-R-Rao]

Describe the bug

our twistlock/Aquasec container scans have found below CVEs in the current netty version.

Affected CVEs

• CVE-2026-42587
• CVE-2026-42585
• CVE-2026-42584
• CVE-2026-42581
• CVE-2026-42583
• CVE-2026-42580
• CVE-2026-41417

In order to resolve the above CVEs, netty packages need to be upgraded to 4.2.13.Final version.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

netty packages need to be upgraded to 4.2.13.Final version.

Current Behavior

netty packages are in the version 4.1.133.Final - which is vulnerable

Reproduction Steps

Use twistlock/aquasec scanner to detect the CVEs.

Possible Solution

Netty version upgrade to the fixed version 4.2.13.Final

Additional Information/Context

No response

AWS Java SDK version used

2.42.25

JDK version used

2.42.25

Operating System and version

linux UBI 9

[bhoradc]

Hello @Poojitha-R-Rao

Thanks for reporting this. These CVEs affect Netty versions <= 4.1.132.Final, which is what Java SDK v2.42.25 ships with.

We have already upgraded Netty to 4.1.133.Final (which patches all 7 CVEs) in SDK version 2.44.3. Please upgrade your SDK to v2.44.3 or later to resolve these vulnerabilities.

Regarding the suggestion to upgrade to Netty 4.2.13.Final, the SDK currently uses the Netty 4.1.x. Upgrading to 4.2.x is a separate effort tracked in #6757.

Regards,
Chaitanya