Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Netty RedisArrayAggregator handler retaining pooled direct‑memory buffers when a pipeline connection closes before an array aggregate completes. The handler does not release these buffers in its lifecycle methods, causing a permanent memory leak. Over time, repeated connection churn drains the JVM‑wide direct‑memory pool, eventually producing allocation failures on all Netty channels in the process, which can lead to denial of service.

Affected Systems

Affected are applications using the Netty networking framework before version 4.1.135.Final or before 4.2.15.Final. Specifically, any project that includes netty:netty with a RedisArrayAggregator handler in its pipeline is susceptible. The issue is fixed in netty‑4.1.135.Final and netty‑4.2.15.Final releases.

Risk and Exploitability

This bug carries a CVSS score of 8.7, indicating high severity, but its EPSS score is below 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the memory drain by repeatedly opening and closing Redis pipeline connections from a remote address. While the condition does not require elevated privileges, repeated churn can be performed from any network peer, meaning the risk is primarily external. Mitigation is therefore advised promptly.

Generated by OpenCVE AI on June 12, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Netty dependency to at least 4.1.135.Final or 4.2.15.Final.
  • If an upgrade cannot be performed immediately, remove the RedisArrayAggregator handler or replace it with an implementation that correctly releases resources on channel close.
  • Monitor JVM direct‑memory utilization and enforce limits with -XX:MaxDirectMemorySize to prevent service degradation while remediation is underway.

Generated by OpenCVE AI on June 12, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6jv9-x5w9-2ccm Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:43:15.426Z

Reserved: 2026-05-20T17:44:09.585Z

Link: CVE-2026-48006

cve-icon Vulnrichment

Updated: 2026-06-12T16:42:48.459Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:30.450

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-48006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime