The Red Hat build of Quarkus 3.27.4 release includes fixes for five security vulnerabilities affecting Netty libraries used within Quarkus. The vulnerabilities addressed are: CVE-2026-42579 (improper DNS domain name constraint enforcement causing high integrity impact), CVE-2026-42584 (incorrect HTTP response parsing leading to data confusion), CVE-2026-42581 (HTTP request smuggling due to improper handling of conflicting HTTP/1.0 headers), CVE-2026-42578 (HTTP header injection via disabled validation in HttpProxyHandler), and CVE-2026-42587 (denial of service via unbounded memory allocation in HTTP content decompression for both HTTP/1 and HTTP/2 codecs). These issues could impact the integrity, confidentiality, and availability of applications using affected versions of Red Hat build of Quarkus. The advisory recommends updating to version 3.27.4 which contains these fixes.

The vulnerabilities fixed in this update have a high security impact, including potential integrity violations (CVE-2026-42579), data confusion (CVE-2026-42584), HTTP request smuggling (CVE-2026-42581), HTTP header injection (CVE-2026-42578), and denial of service through unbounded memory allocation (CVE-2026-42587). These could allow attackers to manipulate HTTP traffic, inject malicious headers, cause application crashes, or disrupt service availability. The combined effect could compromise application behavior and security when using vulnerable Netty components within Quarkus.

A security update to Red Hat build of Quarkus 3.27.4 is available and includes fixes for the identified vulnerabilities. Users should apply this update after ensuring all previously released errata relevant to their system have been applied. Refer to the Red Hat advisory RHSA-2026:23808 and the official update instructions at https://access.redhat.com/articles/11258 for detailed guidance. No additional mitigations are indicated beyond applying the official update.