Skip to main content

Netty CVE-2026-50011

| EUVD-2026-36467 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-12 GitHub_M GHSA-5w86-c3rq-vjj7
Denial Of Service Netty Red Hat Suse
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

RESP array header is parsed from a network socket with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); impact is pure availability via heap exhaustion (A:H) with no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 16:19 vuln.today
Analysis Generated
Jun 12, 2026 - 16:19 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 76 maven packages depend on io.netty:netty-codec-redis (4 direct, 72 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

AnalysisAI

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remote attackers to trigger memory exhaustion by sending a crafted RESP array header that declares a huge element count, causing RedisArrayAggregator to pre-allocate an oversized ArrayList before any child messages arrive. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided in the input.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed RESP listener
Delivery
Open TCP connection to Netty service
Exploit
Send crafted RESP array header with oversized element count
Execution
RedisArrayAggregator pre-allocates oversized ArrayList
Impact
JVM heap exhaustion and service outage
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires the target to run a Netty pipeline that includes RedisArrayAggregator from io.netty:netty-codec-redis on a network-reachable socket - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects pure availability impact reachable remotely without authentication or user interaction, which is consistent with a network-facing memory-exhaustion DoS rather than RCE or data loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker reaches a service that exposes a Netty pipeline including RedisArrayAggregator on a network-reachable socket and sends a single small RESP array header (e.g. '*2147483647\r\n') declaring a near-MAX_INT element count. …
Remediation Vendor-released patch: 4.1.135.Final (4.1.x) and 4.2.15.Final (4.2.x) - upgrade io.netty:netty-codec-redis (and the rest of the Netty stack) to the matching branch using the release links above and advisory GHSA-5w86-c3rq-vjj7. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all applications running affected Netty versions (< 4.1.135.Final or < 4.2.15.Final) and prioritize business-critical systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48748 HIGH POC
7.5 Jun 12

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote una
CVE-2026-50010 HIGH
7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
CVE-2026-50560 MEDIUM POC
6.9 Jun 12

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack fu
CVE-2026-50020 MEDIUM POC
5.3 Jun 12

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipu
CVE-2026-50009 MEDIUM
4.8 Jun 12

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-50011 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy