Skip to main content

Netty CVE-2026-44250

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-08 https://github.com/netty/netty GHSA-3244-j874-rhc2
Denial Of Service Redis
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 19:50 vuln.today
Analysis Generated
Jun 08, 2026 - 19:50 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 76 maven packages depend on io.netty:netty-codec-redis (4 direct, 72 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionNVD

Summary

An attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError.

Details

io.netty.handler.codec.redis.RedisArrayAggregator aggregates RedisMessage parts into ArrayRedisMessage. It uses a Deque<AggregateState> to keep track of nested arrays. However, it does not limit the maximum depth of nested arrays. When an attacker sends a continuous stream of nested array headers (e.g., *1\r\n*1\r\n*1\r\n...), RedisArrayAggregator pushes a new AggregateState onto the stack and allocates a new ArrayList for each header. Because there is no depth limit, an attacker can send millions of such headers. This consumes a massive amount of heap memory for the AggregateState instances and their backing ArrayLists, eventually resulting in an OutOfMemoryError.

Impact

Denial of Service due to memory exhaustion. Any application using Netty's RedisArrayAggregator to handle untrusted Redis traffic is vulnerable.

AnalysisAI

Denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to exhaust JVM heap memory by sending Redis payloads with unbounded nested array headers. The RedisArrayAggregator allocates a new AggregateState and ArrayList for every nested array header without enforcing a depth limit, so a continuous stream of *1\r\n headers triggers an OutOfMemoryError. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Netty RESP listener
Delivery
Open TCP connection to decoder
Exploit
Stream unbounded nested array headers
Execution
RedisArrayAggregator allocates AggregateState per level
Persist
JVM heap exhausted, OutOfMemoryError thrown
Impact
Service crashes or becomes unresponsive
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must use Netty's netty-codec-redis module and place RedisArrayAggregator (typically together with RedisDecoder) into a pipeline that processes RESP bytes from an untrusted peer - for example a Netty-based Redis proxy, a custom RESP-speaking server, or any service that forwards client-supplied Redis traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects a network-reachable, unauthenticated, low-complexity availability-only attack and produces a base score of 7.5 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can open a TCP connection to a service that decodes untrusted RESP traffic with RedisArrayAggregator (for example a Redis-protocol proxy or RESP-speaking server built on Netty) opens a single socket and streams an unbounded sequence of array-header frames such as `*1\r\n*1\r\n*1\r\n...`. The decoder pushes a new AggregateState plus a backing ArrayList for each header, and within seconds heap usage climbs until the JVM throws OutOfMemoryError and the process becomes unresponsive or crashes. …
Remediation Vendor-released patch: upgrade to io.netty:netty-codec-redis 4.1.135.Final (4.1.x line) or 4.2.15.Final (4.2.x line) as documented at https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final and tracked in advisory https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all applications using netty-codec-redis versions ≤4.1.134.Final or 4.2.0.Final-4.2.14.Final; assess which deployed services process untrusted Redis protocol input and are exposed to remote networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-5088 HIGH
8.7 Jun 05

Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Red
CVE-2026-44890 HIGH
7.5 Jun 08

Remote denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.F
CVE-2026-41719 MEDIUM
6.4 Jun 10

SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, l
CVE-2026-47382 MEDIUM
Jun 05

Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users wi

Share

CVE-2026-44250 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy