From 55bd511c4e35ef9168c8896cb572f6ef6c6087d2 Mon Sep 17 00:00:00 2001
From: Mikita Hradovich <mikita@hradovich.me>
Date: Tue, 19 May 2026 14:19:44 +0200
Subject: [PATCH] fix: bump netty to 4.1.133.Final to remediate CVE-2026-42583

Lz4FrameDecoder in netty-codec prior to 4.1.133.Final allocates up to
32 MB per block before decompression runs. A peer can trigger this with
a 21-byte crafted LZ4 header, causing memory exhaustion (DoS).

Bump netty.version from 4.1.127.Final to 4.1.133.Final so all consumers
of java-driver-core inherit the fix transitively, without needing local
dependencyManagement overrides.

Ref: scylladb/kafka-connect-scylladb#164
CVE: CVE-2026-42583
CVSS: 7.5 (HIGH)
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f3f674bbac7..917d96c943d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,7 +58,7 @@
     <!-- when changing version also update version in LICENSE_binary  -->
     <hdrhistogram.version>2.2.2</hdrhistogram.version>
     <metrics.version>4.2.37</metrics.version>
-    <netty.version>4.1.127.Final</netty.version>
+    <netty.version>4.1.133.Final</netty.version>
     <esri.version>1.2.1</esri.version>
     <!--
     When upgrading TinkerPop please upgrade the version matrix in