fix: bump netty to 4.1.135.Final to remediate CVE-2026-44249 and CVE-2026-45416

[nikagra]

Summary

Root fix for CVE-2026-44249 and CVE-2026-45416, tracked in scylladb/kafka-connect-scylladb#184.

netty-handler prior to 4.1.135.Final is affected by two HIGH severity vulnerabilities:

• CVE-2026-44249 (CVSS 8.1): IpSubnetFilterRule.compareTo() performs an incorrect masking operation, allowing attackers to bypass IPv6 subnet ACL rules with valid public IP addresses.

• CVE-2026-45416 (CVSS 7.5): SslClientHelloHandler.decode() eagerly allocates up to 16 MiB of unpooled memory when maxClientHelloLength=0 (the SniHandler default). A crafted TLS ClientHello can trigger memory exhaustion (DoS).

Change

-    <netty.version>4.1.133.Final</netty.version>
+    <netty.version>4.1.135.Final</netty.version>

One-line change in the root pom.xml. All consumers of java-driver-core will inherit the fix transitively once a new driver release is published, eliminating the need for downstream <dependencyManagement> overrides.

Follow-up

After this merges and a new release is cut, scylladb/kafka-connect-scylladb will bump scylladb.version and remove the temporary BOM override added in Stage 1.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f09c54ac-8251-41a6-ad43-c660a1035dbc

📥 Commits

Reviewing files that changed from the base of the PR and between 1d65bce and 61ab4f2.

📒 Files selected for processing (1)

• pom.xml

---

📝 Walkthrough

Walkthrough

The Maven property netty.version in pom.xml is incremented from 4.1.133.Final to 4.1.135.Final. This single-line change causes all Netty artifacts whose versions are managed via the ${netty.version} placeholder to resolve to the newer release.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: bumping Netty to address two named CVEs, which directly matches the changeset's purpose.
Description check	✅ Passed	The description provides comprehensive context about the security vulnerabilities, the specific change, and follow-up actions, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}