CVE-2026-50011
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk29th percentile - higher than 29% of all known CVEs
Summary
A vulnerability in Netty RedisArrayAggregator pre-allocates an ArrayList with a capacity equal to the RESP array element count declared in a header, which can be inflated by a malicious packet. An attacker can send a small header with a falsely large count, leading to excessive memory consumption.
Risk Assessment
The risk is potential memory exhaustion (out-of-memory) on the server by sending a crafted Redis packet, causing denial of service (DoS) and application instability.
Recommendation
Immediately update Netty to version 4.1.135.Final or 4.2.15.Final, which include a fix that limits pre-allocation based on a trusted size.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

