Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s netty-codec-redis library contains a flaw that enables an attacker able to send a specially crafted Redis payload with deeply nested arrays. When processed, the library allocates an enormous number of state objects and collections, exhausting the JVM heap and resulting in an OutOfMemoryError. The primary consequence is denial of service; the attacker gains no direct code execution or data exfiltration. This weakness is classified as an improper input validation problem (CWE-400) and an uncontrolled resource consumption problem (CWE-770).

Affected Systems

The vulnerability affects the Netty framework, specifically the netty-codec-redis component. Versions prior to 4.1.135.Final (in the 4.1 series) and prior to 4.2.15.Final (in the 4.2 series) are vulnerable. Updating the library to these fixed releases mitigates the issue.

Risk and Exploitability

The CVSS score of 7.5 places the flaw in the high severity range. The vulnerability can be triggered by sending a crafted Redis payload with deeply nested arrays to a Netty-based Redis endpoint. Exploitation requires only network access to that endpoint and the ability to issue the payload. The EPSS score of 0.00038 (approximately 0.04%) indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The impact is a denial of service, as the server will exhaust JVM memory.

Generated by OpenCVE AI on June 15, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade netty-codec-redis to version 4.1.135.Final or 4.2.15.Final, which contain the memory‑allocation guard.
  • Validate or limit the depth and size of Redis command arguments at the application level to prevent excessively large nested arrays before they reach Netty.
  • Monitor JVM heap usage and apply memory limits or restart policies to contain impact if a DoS attempt occurs.

Generated by OpenCVE AI on June 15, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3244-j874-rhc2 Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Important


Mon, 15 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:30.531Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44250

cve-icon Vulnrichment

Updated: 2026-06-30T03:20:56.526Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T22:16:56.857

Modified: 2026-06-15T02:30:38.483

Link: CVE-2026-44250

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T20:49:00Z

Links: CVE-2026-44250 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling