Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-06-12T14:52:18 netty-codec-redis: Netty: Denial of Service via malicious Redis array header 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-770

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

A flaw was found in Netty, a network application framework. The RedisArrayAggregator component pre-allocates memory based on the declared element count in a Redis array header. A remote attacker can exploit this by sending a small, malicious Redis array header that claims a huge initial capacity, leading to excessive memory pre-allocation. This can result in a denial of service (DoS) due to resource exhaustion.

This is an Important denial of service vulnerability in Netty's RedisArrayAggregator component. A remote, unauthenticated attacker can exploit this flaw by sending a specially crafted Redis array header, causing excessive memory pre-allocation and leading to resource exhaustion. This can disrupt services utilizing Netty for Redis communication. To mitigate this issue, restrict network access to services that utilize the netty-codec-redis component and process Redis traffic. Configure firewalls or network access control lists (ACLs) to limit connections to these services from trusted networks or localhost only. This reduces the attack surface by preventing untrusted remote attackers from sending malicious Redis array headers. Consult product-specific documentation for detailed instructions on configuring network access for affected Red Hat products. Reloading or restarting services may be required for network configuration changes to take effect, which could temporarily impact availability. Red Hat build of Apache Camel for Spring Boot 4 Affected netty-codec-redis Red Hat Data Grid 8 Affected netty-codec-redis Red Hat Fuse 7 Will not fix netty-codec-redis Red Hat JBoss Enterprise Application Platform 7 Affected netty-codec-redis Red Hat JBoss Enterprise Application Platform Expansion Pack Affected netty-codec-redis Red Hat Single Sign-On 7 Not affected netty-codec-redis https://www.cve.org/CVERecord?id=CVE-2026-50011 https://nvd.nist.gov/vuln/detail/CVE-2026-50011 https://github.com/netty/netty/releases/tag/netty-4.1.135.Final https://github.com/netty/netty/releases/tag/netty-4.2.15.Final https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7