Download Latest Version Libevent 2.2.2-alpha source code.tar.gz (873.0 kB)
Email in envelope

Get an email when there's a new version of libevent

Home / release-2.2.2-alpha
Name Modified Size InfoDownloads / Week
Parent folder
libevent-2.2.2-alpha.tar.gz 2026-07-01 1.3 MB
libevent-2.2.2-alpha.tar.gz.asc 2026-07-01 833 Bytes
Libevent 2.2.2-alpha source code.tar.gz 2026-07-01 873.0 kB
Libevent 2.2.2-alpha source code.zip 2026-07-01 1.1 MB
README.md 2026-07-01 2.3 kB
Totals: 5 Items   3.2 MB 0

Changes in version 2.2.2-alpha (01 July 2026)

This release contains several security fixes, affecting users of the following modules: evbuffer, bufferevent, evtag, evrpc, evdns, evhttp, and evws. If you have a program that uses one of those modules, or if you distribute libevent, you should upgrade.

(Note: the latest stable release as of this writing is 2.1.13.)

Security fixes (evws):

  • Fix a null dereference in the error path of evws_new_session(). (Found by @DarkaMaul. GHSA-3rpf-frgx-xq34)
  • Prevent unbounded memory accumulation in websockets via frame fragmentation. (Found by @sectroyer. GHSA-qx89-wf2v-vgmx)

Security Fixes, also in 2.1.13 (evtag, evrpc):

  • Fix an out-of-bounds read in decode_tag_internal. (Found by @Brubbish. GHSA-fj29-64w6-73h6)
  • Fix an integer overflow in evtag_unmarshal_header. (Found by @Brubbish. GHSA-45c6-qx49-89m8)

Security Fixes, also in 2.1.13 (evhttp):

  • Discard HTTP trailers, to prevent header smuggling attacks. (Found by @sebastianosrt. GHSA-2gmv-p5m7-98p6)
  • Restrict HTTP header parsing to prevent request smuggling. (Originally reported by @xclow3n; and then by @kodareef5, @nstaller0490, @AsafMeizneer, and @yaotushaozhu. GHSA-q39v-w2g7-gr8j.)
  • Treat CRLF and %00 more strictly in HTTP headers, to prevent parser mismatch attacks. (Reported by @xclow3n and @AsafMeizner. See GHSA-q39v-w2g7-gr8j, GHSA-jcwh-pvf2-73p2.)
  • Fix a heap out-of-bound write that could occur when using AF_UNIX sockets and compiling libevent with -DNDEBUG. (Found by @mat-mo. GHSA-cvq5-vrvr-j338)

Security fixes, also in 2.1.13 (evbuffer, bufferevent):

  • Fixed a dangling pointer in evbuffer_add_reference. (Found by @DarkaMaul. GHSA-c2pj-cg4r-88c8)

Security fixes, also in 2.1.13 (evdns):

  • Fix an out-of-bounds write in dnsname_to_labels when building a DNS response of 2^16 bytes. (Found by @sectroyer. GHSA-58rx-7448-jw47)

Security fixes, also in 2.1.13 (example code):

  • Avoid using strcpy() in sample/http-server.c. (Reported by @sectroyer. GHSA-5rgj-2c58-7jrc.)

Other fixes:

  • Enable a test for signalfd that had previously been disabled by mistake.
  • Fix compilation of some examples and tests, and resolve several compiler warnings.
Source: README.md, updated 2026-07-01