CVE-2026-50011: Unbounded Resource Pre-Allocation in Netty Redis Codec
Vulnerability ID: CVE-2026-50011
CVSS Score: 7.5
Published: 2026-06-15
An uncontrolled resource pre-allocation flaw in the Netty Redis codec module allows remote unauthenticated attackers to cause a denial of service (OutOfMemoryError) by sending a crafted Redis Serialization Protocol (RESP) array header.
TL;DR
Remote, unauthenticated attackers can crash Netty-based Redis servers by sending a 13-byte RESP array header containing a large declared array length, triggering an immediate OutOfMemoryError.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network (AV:N)
- CVSS v3.1 Base Score: 7.5 (High)
- Exploit Maturity: Proof of Concept
- Impact Category: Availability (Denial of Service)
- CISA KEV Status: Not Listed
Affected Systems
- io.netty:netty-codec-redis
-
netty-codec-redis: < 4.1.135.Final (Fixed in:
4.1.135.Final) -
netty-codec-redis: >= 4.2.0.Final, < 4.2.15.Final (Fixed in:
4.2.15.Final)
Mitigation Strategies
- Upgrade Netty library dependencies to the patched versions.
- Deploy a custom Netty pipeline validation handler to drop connections presenting excessive array headers.
Remediation Steps:
- Open the build configuration file (e.g., pom.xml or build.gradle) of the affected project.
- Identify the 'io.netty:netty-codec-redis' dependency.
- Update the version definition to '4.1.135.Final' or '4.2.15.Final' depending on the current active release branch.
- Rebuild the application and verify that transitively resolved Netty core dependencies are aligned.
- Deploy the updated binaries to production environments.
References
- GitHub Security Advisory GHSA-5w86-c3rq-vjj7
- Netty 4.1.135.Final Release Notes
- Netty 4.2.15.Final Release Notes
- NVD CVE-2026-50011 Detail
- CVE.org Authority Record
Read the full report for CVE-2026-50011 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)