Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s RedisArrayAggregator pre‑allocates an ArrayList whose capacity is set to the RESP array element count read from the wire. A malicious client can send a header that claims an excessively large count, causing the framework to allocate a huge internal array before any child messages are processed. This uncontrolled resource allocation can lead to out‑of‑memory conditions and crash or stall the server, resulting in loss of service for legitimate users.

Affected Systems

The vulnerability affects the Netty network application framework, specifically versions prior to 4.1.135.Final and 4.2.15.Final. Users running any Netty deployment that parses the Redis protocol are at risk unless their application is patched to a newer release.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as a high‑severity vulnerability. Exploitation requires the ability to send forged RESP array headers to a Netty server; whether an attacker needs to authenticate before sending such headers is not specified in the CVE data. Because the EPSS is not available, the exact likelihood of exploitation is unknown, and the flaw is not yet listed in CISA’s KEV catalog, but the large potential impact warrants caution. An attacker could trigger memory exhaustion and cause a denial of service, impacting availability for all users of the affected service.

Generated by OpenCVE AI on June 12, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty dependency to version 4.1.135.Final or 4.2.15.Final or later and rebuild the application.
  • Ensure build and deployment pipelines lock the Netty version to a patched release to prevent accidental downgrade.
  • If an upgrade cannot be performed immediately, validate RESP array lengths at the application layer and reject requests that request an array size beyond a safe limit before the data reaches Netty.
  • Monitor server memory usage for abnormal spikes that may indicate an attempted exploit and alert operators accordingly.

Generated by OpenCVE AI on June 12, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:59:14.737Z

Reserved: 2026-06-02T22:46:02.578Z

Link: CVE-2026-50011

cve-icon Vulnrichment

Updated: 2026-06-12T15:59:11.176Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:31.313

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-50011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:00:07Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling