Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Netty RedisArrayAggregator handler retaining pooled direct‑memory buffers when a pipeline connection closes before an array aggregate completes. The handler does not release these buffers in its lifecycle methods, causing a permanent memory leak. Over time, repeated connection churn drains the JVM‑wide direct‑memory pool, eventually producing allocation failures on all Netty channels in the process, which can lead to denial of service. This flaw aligns with CWE‑401 and CWE‑772.

Affected Systems

Affected are applications using the Netty networking framework before version 4.1.135.Final or before 4.2.15.Final. Specifically, any project that includes netty:netty with a RedisArrayAggregator handler in its pipeline is susceptible. The issue is fixed in netty‑4.1.135.Final and netty‑4.2.15.Final releases.

Risk and Exploitability

This bug carries a CVSS score of 8.7, indicating high severity, but its EPSS score is below 1%, suggesting a low likelihood of exploitation at present. The likely attack vector, inferred from the description, is that an external network peer can trigger the memory drain by repeatedly opening and closing Redis pipeline connections. The vulnerability is not listed in the CISA KEV catalog. This condition does not require elevated privileges, meaning the risk is primarily external. Mitigation is therefore advised promptly.

Generated by OpenCVE AI on June 15, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Netty dependency to at least 4.1.135.Final or 4.2.15.Final.
  • If an upgrade cannot be performed immediately, remove the RedisArrayAggregator handler or replace it with an implementation that correctly releases resources on channel close.
  • Monitor JVM direct‑memory utilization and enforce limits with -XX:MaxDirectMemorySize to prevent service degradation while remediation is underway.

Generated by OpenCVE AI on June 15, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6jv9-x5w9-2ccm Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

threat_severity

Important


Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:00.333Z

Reserved: 2026-05-20T17:44:09.585Z

Link: CVE-2026-48006

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:58.076Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:30.450

Modified: 2026-06-15T01:56:51.573

Link: CVE-2026-48006

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T14:36:44Z

Links: CVE-2026-48006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime