CVE-2026-33870/1 High Vulnerabilities in netty

NeilBillett · April 17, 2026, 10:11am

Hi - are there any plans/mitigations for these two recent high severity vulnerabilities for netty:

They are vulnerabilities in < netty 4.1.132.Final around DoS and request smuggling.

I see in the recent 2.19.5 release of Opensearch the version of netty (in modules and several plugins) is at 4.1.131.Final i.e. just missing the cut.

Appreciate any info you can share about plans for these two.

many thanks,

Neil

pablo · April 20, 2026, 7:25am

@NeilBillett According to the OpenSearch 3.6.0 release notes, these CVEs were addressed in that release.

github.com/opensearch-project/opensearch-build

release-notes/opensearch-release-notes-3.6.0.md

main

# OpenSearch and OpenSearch Dashboards 3.6.0 Release Notes

## Release Highlights

### New and Updated Features

#### Search Modernization
* **Automate search app development with OpenSearch Launchpad**: An AI-powered agent automatically provisions a complete local setup with optimal architecture and working UI based on your sample documents and conversational input. Launchpad can handle every technical decision—from semantic encoding to cluster configuration—and integrates natively with IDEs.

* **Build more robust agentic search applications**: New capabilities include alias support, embedding model configuration, fallback query options, reranking capabilities, and agentic memory for conversational, context-aware search experiences with improved relevance and precision.

* **Maximize storage efficiency with 1-bit Scalar Quantization**: 1-bit SQ delivers 32x compression across Faiss and Lucene engines with 24% better recall and 15% lower latency. Perform approximate and exact k-NN search directly on quantized vectors for metadata-heavy use cases.

* **Decrease latency with Faiss quantization optimizations**: New functionality leverages quantized flat vectors directly from graph files, offering a 40% reduction in latency for quantized index searches compared with FP32 flat vectors.

* **Reduce vector storage with metadata compression**: Zstandard compression for vectors reduces the disk footprint for metadata, enabling storage of more metadata-rich vectors on same hardware without compromising high-speed access needed for search and retrieval.

* **Reduce vector search latency 50%**: New prefetch functionality for ANN and exact search proactively loads vectors into memory before CPU needs them, minimizing idle cycles to deliver up to 2x search latency improvements for memory-constrained environments.

* **Streamline relevance tuning**: Ease-of-use enhancements to the Search Relevance Workbench simplify the work of organizing experiments, running experiments against multiple data sources, and creating query sets. Evaluate quality for different search scenarios with three new metrics: Recall@K, MRR, and DCG@K.

This file has been truncated. show original

github.com/opensearch-project/security-analytics

Fixed CVE-2026-33871 and CVE-2026-33870. (#1685)

main ← AWSHurneyt:main-v3.6-cves

opened 06:40PM - 01 Apr 26 UTC

AWSHurneyt

+0 -0

### Description Updated security analytics commons jar following CVE-2026-33871… and CVE-2026-33870 fixes in https://github.com/opensearch-project/security-analytics-commons/pull/33. ### Related Issues Resolves #[Issue number to be closed when this PR is merged] ### Check List - [ ] New functionality includes testing. - [ ] New functionality has been documented. - [ ] API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md). - [x] Commits are signed per the DCO using `--signoff`. - [ ] Public documentation issue/PR [created](https://github.com/opensearch-project/documentation-website/issues/new/choose). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/security-analytics/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

NeilBillett · April 20, 2026, 8:19am

Thanks @pablo - yes - 3.6.0 looks to have been released after these CVEs came to light so incorporated the fixes.

Its the 2.19.x line I’m really interested in as 2.19.5 was released before they came to light.

Is it safe to assume that these fixes will be incorporated into the next scheduled release? (2.19.6)

…and you can guess my next question (when?)

thanks,

Neil

pablo · April 21, 2026, 11:55am

@NeilBillett As per latest announcement and release tracker OpenSearch 2.19 and 3.6 are under LTS.

OpenSearch 2.19.6 is scheduled to be released in June 2026 and it should contained all identified CVEs.

NeilBillett · April 21, 2026, 12:13pm

Thank you @pablo

best wishes

Neil

Topic		Replies	Views
CVE-2025-24970 Apache Netty < 4.1.118.Final Security cve , security-issue	6	686	February 28, 2025
Opensearch v2.2.1 with vulns CVE-2022-24823 CVE-2022-36033 after a Trivy Scan Security cve , security-issue	2	573	September 21, 2022
OpenSearch and Updated nss fix CVE-2021-43527 OpenDistro releases , cve	10	1123	December 16, 2021
Facing issue with OpenSearch image vulnerabilities OpenSearch cve , security-issue	2	864	January 26, 2023
CVE-2025-9624 Doubts Security cve	1	135	December 4, 2025

CVE-2026-33870/1 High Vulnerabilities in netty

Related topics