Skip to main content

Netty CVE-2026-48006

| EUVD-2026-36492 HIGH
Memory Leak (CWE-401)
2026-06-11 https://github.com/netty/netty GHSA-6jv9-x5w9-2ccm
Redis Information Disclosure Red Hat Suse
8.7
CVSS 4.0 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated Redis-protocol connection churn against a vulnerable Netty pipeline exhausts the shared direct-memory pool, causing process-wide availability loss with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 12, 2026 - 16:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 16:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jun 12, 2026 - 16:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
Jun 11, 2026 - 13:52 vuln.today
Analysis Generated
Jun 11, 2026 - 13:52 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 76 maven packages depend on io.netty:netty-codec-redis (4 direct, 72 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Impact

The RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (depths field) but defines no channelInactive, handlerRemoved, or exceptionCaught method to release them when the pipeline tears down. Because the leaked buffers are slices of PooledByteBufAllocator chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process.

AnalysisAI

Memory exhaustion in Netty's RedisArrayAggregator handler (io.netty:netty-codec-redis) allows remote unauthenticated attackers to drain the JVM-wide direct-memory pool by repeatedly opening and closing Redis pipeline connections before RESP array aggregates complete. Affects netty-codec-redis 4.1.x through 4.1.134.Final and 4.2.0.Final through 4.2.14.Final; vendor patches are available in 4.1.135.Final and 4.2.15.Final. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Netty service with RedisArrayAggregator
Delivery
Open Redis pipeline connection
Exploit
Send partial RESP array prefix
Install
Abruptly close connection mid-aggregate
C2
Repeat to pin pooled chunks
Execute
Exhaust JVM direct-memory pool
Impact
Deny service across all Netty channels
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target process must use io.netty:netty-codec-redis in an affected version (4.1.x ≤ 4.1.134.Final or 4.2.0.Final-4.2.14.Final) with a Netty pipeline that includes RedisArrayAggregator processing inbound RESP traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor-supplied CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VA:H (score 8.7) reflects a remote, unauthenticated, low-complexity availability impact with no confidentiality or integrity loss - accurate for a process-wide direct-memory exhaustion DoS triggered purely by Redis pipeline connection churn. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker repeatedly opens TCP connections to a Netty-based service that uses RedisArrayAggregator (for example, a Redis proxy or broker), sends the prefix of a RESP array reply such as '*3\r\n$3\r\nfoo\r\n' so the aggregator buffers child elements, then closes the socket before the aggregate completes. Each abandoned aggregation pins a PooledByteBuf slice in the per-handler depths field, which keeps an entire pooled chunk allocated; over thousands of iterations the JVM-wide direct-memory pool is exhausted and subsequent allocations on every Netty channel in the process fail, denying service to all clients. …
Remediation Vendor-released patch: upgrade io.netty:netty-codec-redis to 4.2.15.Final on the 4.2.x branch or 4.1.135.Final on the 4.1.x branch, per the Netty advisory at https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems and applications using io.netty:netty-codec-redis versions 4.1.x through 4.1.134.Final or 4.2.0 through 4.2.14.Final. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-48006 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy