CVE-2026-44890

Summary

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Affected Software

VendorProductVersion RangeStatus
nettynetty>= 4.2.0.Final, < 4.2.15.Finalaffected
nettynetty< 4.1.135.Finalaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

netty-codec-redis: netty-codec-redis: Denial of Service via crafted Redis payloads

Additional References

References