Impact
The vulnerability arises from the Netty RedisArrayAggregator handler retaining pooled direct‑memory buffers when a pipeline connection closes before an array aggregate completes. The handler does not release these buffers in its lifecycle methods, causing a permanent memory leak. Over time, repeated connection churn drains the JVM‑wide direct‑memory pool, eventually producing allocation failures on all Netty channels in the process, which can lead to denial of service. This flaw aligns with CWE‑401 and CWE‑772.
Affected Systems
Affected are applications using the Netty networking framework before version 4.1.135.Final or before 4.2.15.Final. Specifically, any project that includes netty:netty with a RedisArrayAggregator handler in its pipeline is susceptible. The issue is fixed in netty‑4.1.135.Final and netty‑4.2.15.Final releases.
Risk and Exploitability
This bug carries a CVSS score of 8.7, indicating high severity, but its EPSS score is below 1%, suggesting a low likelihood of exploitation at present. The likely attack vector, inferred from the description, is that an external network peer can trigger the memory drain by repeatedly opening and closing Redis pipeline connections. The vulnerability is not listed in the CISA KEV catalog. This condition does not require elevated privileges, meaning the risk is primarily external. Mitigation is therefore advised promptly.
OpenCVE Enrichment
Github GHSA