CVE Catalog

CVE-2026-50011

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile - higher than 29% of all known CVEs

Summary

A vulnerability in Netty RedisArrayAggregator pre-allocates an ArrayList with a capacity equal to the RESP array element count declared in a header, which can be inflated by a malicious packet. An attacker can send a small header with a falsely large count, leading to excessive memory consumption.

Risk Assessment

The risk is potential memory exhaustion (out-of-memory) on the server by sending a crafted Redis packet, causing denial of service (DoS) and application instability.

Recommendation

Immediately update Netty to version 4.1.135.Final or 4.2.15.Final, which include a fix that limits pre-allocation based on a trusted size.

Original NVD description (English source)

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS