What is the CVSS score of CVE-2026-44890?

CVE-2026-44890 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Which versions of Redis are affected by CVE-2026-44890?

Netty's netty-codec-redis module contains a remote denial-of-service vulnerability (CVE-2026-44890) that allows unauthenticated attackers to exhaust direct memory and block legitimate requests.. A patch is available.

How to fix or mitigate CVE-2026-44890?

Within 24 hours: Inventory all services using Netty netty-codec-redis module versions ≤ 4.1.134.Final or 4.2.0.Final through 4.2.14.Final. Within 7 days: Obtain and test patched versions (4.1.x > 4.1.134.Final or 4.2.x > 4.2.14.Final) in staging and finalize deployment timeline. Within 30 days: Deploy patched versions to production across all identified services.

Redis CVE-2026-44890

HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-06-08 https://github.com/netty/netty

GHSA-6ghj-frrj-jjj3

Denial Of Service Redis

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 19:50 vuln.today

Analysis Generated

Jun 08, 2026 - 19:50 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

76 maven packages depend on io.netty:netty-codec-redis (4 direct, 72 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionNVD

Summary

An attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed.

Details

io.netty.handler.codec.redis.RedisDecoder decodes the length of bulk strings and array headers using the decodeLength method. This method reads bytes from the network until it encounters a \n character. However, it does not enforce any maximum length check while buffering the bytes if the \n character is not found. An attacker can exploit this by sending a continuous stream of digits (e.g., $1111...) without ever sending a \n.

To cause a true Denial of Service, an attacker must open multiple concurrent connections and distribute the unbounded payloads among them.

According to the RESP specification (https://redis.io/docs/latest/develop/reference/protocol-spec/), all parts of the protocol are strictly terminated with \r\n. Furthermore, the length prefix itself is an integer representation that must fit within standard numeric limits (e.g., a 64-bit signed integer). Therefore, a stream of digits exceeding these bounds without \r\n is a protocol violation and should be rejected immediately rather than buffered indefinitely.

Impact

Denial of Service due to memory exhaustion. Any application using Netty's RedisDecoder to handle untrusted Redis traffic is vulnerable.

AnalysisAI

Remote denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows unauthenticated attackers to exhaust direct memory by sending crafted RESP protocol payloads lacking the required \r\n terminator across multiple concurrent connections. The RedisDecoder buffers digit streams indefinitely while awaiting a line terminator, eventually triggering OutOfDirectMemoryError and preventing legitimate connections from being processed. …