DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-50011: CVE-2026-50011: Unbounded Resource Pre-Allocation in Netty Redis Codec

CVE-2026-50011: Unbounded Resource Pre-Allocation in Netty Redis Codec

Vulnerability ID: CVE-2026-50011
CVSS Score: 7.5
Published: 2026-06-15

An uncontrolled resource pre-allocation flaw in the Netty Redis codec module allows remote unauthenticated attackers to cause a denial of service (OutOfMemoryError) by sending a crafted Redis Serialization Protocol (RESP) array header.

TL;DR

Remote, unauthenticated attackers can crash Netty-based Redis servers by sending a 13-byte RESP array header containing a large declared array length, triggering an immediate OutOfMemoryError.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Base Score: 7.5 (High)
  • Exploit Maturity: Proof of Concept
  • Impact Category: Availability (Denial of Service)
  • CISA KEV Status: Not Listed

Affected Systems

  • io.netty:netty-codec-redis
  • netty-codec-redis: < 4.1.135.Final (Fixed in: 4.1.135.Final)
  • netty-codec-redis: >= 4.2.0.Final, < 4.2.15.Final (Fixed in: 4.2.15.Final)

Mitigation Strategies

  • Upgrade Netty library dependencies to the patched versions.
  • Deploy a custom Netty pipeline validation handler to drop connections presenting excessive array headers.

Remediation Steps:

  1. Open the build configuration file (e.g., pom.xml or build.gradle) of the affected project.
  2. Identify the 'io.netty:netty-codec-redis' dependency.
  3. Update the version definition to '4.1.135.Final' or '4.2.15.Final' depending on the current active release branch.
  4. Rebuild the application and verify that transitively resolved Netty core dependencies are aligned.
  5. Deploy the updated binaries to production environments.

References


Read the full report for CVE-2026-50011 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)