Description
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s RedisDecoder can consume unlimited direct memory when it receives multiple Redis payloads that omit the required CRLF terminator. The unchecked allocation results in an OutOfDirectMemoryError, which stops the application from handling any further connections and effectively disables the service for legitimate users. The vulnerability allows an attacker to trigger this failure by sending crafted messages, leading to a denial‑of‑service condition.

Affected Systems

All instances of Netty that use netty-codec-redis versions prior to 4.1.135.Final and 4.2.15.Final. Applications, servers, or services that embed these older Netty releases are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity; the EPSS score is below 1%, indicating a very low exploitation probability and suggesting the vulnerability is rarely or not yet exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog, further implying limited real-world exploitation. Based on the description, it is inferred that an attacker could exploit the flaw remotely by sending malicious Redis payloads over the network to any publicly reachable Netty endpoint that processes Redis commands when the RedisDecoder is used.

Generated by OpenCVE AI on June 15, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or later, or 4.2.15.Final or later, to apply the patch that limits direct memory allocation in RedisDecoder.
  • If immediate upgrade is not feasible, isolate Netty services behind a firewall and restrict inbound connections to trusted hosts or networks to reduce exposure.
  • Monitor application logs for OutOfDirectMemoryError and configure automated alerts for sudden memory spikes, enabling rapid response before the service becomes unavailable.

Generated by OpenCVE AI on June 15, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6ghj-frrj-jjj3 Netty has Unbounded Direct Memory Consumption in its RedisDecoder
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Important


Mon, 15 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty has Unbounded Direct Memory Consumption in its RedisDecoder
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:23.761Z

Reserved: 2026-05-07T21:50:33.545Z

Link: CVE-2026-44890

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:11.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T22:16:56.997

Modified: 2026-06-15T02:30:28.063

Link: CVE-2026-44890

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T20:52:50Z

Links: CVE-2026-44890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T15:00:10Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling