LiveActive security incident?Get immediate response
CVE Record

CVE-2026-44890: Netty has Unbounded Direct Memory Consumption in its RedisDecoder

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A flaw in the Netty networking library lets a remote attacker crash or freeze services that use its Redis protocol decoder. By sending malformed Redis messages that never end properly, the attacker forces the server to hoard memory until it can no longer accept legitimate users. No data is stolen, but the service becomes unavailable until restarted or patched.

Executive priority

Treat as a high-priority availability risk for any internet-facing service that speaks the Redis protocol via Netty. Schedule patching in the current maintenance window; there is no data-loss or breach exposure, but a single attacker can knock affected services offline with modest effort.

Technical view

In netty-codec-redis before 4.1.135.Final and 4.2.15.Final, RedisDecoder buffers inbound bytes waiting for a terminating `\r\n`. An attacker opening many connections and streaming payloads without the delimiter causes unbounded growth of the direct memory pool, ultimately triggering OutOfDirectMemoryError. This is a CWE-400/CWE-770 uncontrolled resource consumption issue, CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/A:H). Fixed versions bound the buffered state.

Likely exposure

Applications, gateways, and proxies built on Netty that expose the Redis decoder to untrusted network input, including services accepting Redis protocol traffic from the internet or from less-trusted internal tenants. Purely internal, authenticated Redis clients using Netty are less exposed but still at risk if attackers can reach the listener.

Exploitation context

No active exploitation is reported and the CVE is not in CISA KEV. The GitHub Security Advisory (GHSA-6ghj-frrj-jjj3) and Red Hat advisory describe the DoS pattern conceptually; no public exploit code is cited in the bundle. Impact is availability only, network-reachable, and unauthenticated per the CVSS vector.

Researcher notes

Root cause is unbounded accumulation in RedisDecoder when the `\r\n` framing token never arrives, so buffered ByteBufs are never released. Multiplied across many connections, this drains the pooled direct memory arena. Validate fixes by reviewing the 4.1.135.Final and 4.2.15.Final release notes and the GHSA advisory. Sources do not enumerate downstream products; check shaded Netty in Spring, Vert.x, Quarkus, and Cassandra-family builds.

Mitigation direction

  • Upgrade netty-codec-redis to 4.1.135.Final or 4.2.15.Final across all services and container images.
  • Apply Red Hat RHSA-2026:37390 or vendor equivalent to affected platform components.
  • Restrict network exposure of Redis-decoder listeners to trusted sources via firewalls or service mesh policy.
  • Set direct memory and connection limits on Netty-based services to contain resource exhaustion.
  • Rebuild and redeploy downstream artifacts that shade or embed vulnerable Netty versions.

Validation and detection

  • Inventory dependencies with an SBOM or `mvn dependency:tree`/`gradle dependencies` search for netty-codec-redis versions.
  • Confirm running services report Netty 4.1.135.Final or 4.2.15.Final at startup or via management endpoints.
  • Scan container images and artifact registries for pre-fix Netty versions using SCA tooling.
  • Review Red Hat CSAF/VEX data for platform-specific fix availability and status.
  • Monitor Netty-based services for OutOfDirectMemoryError and abnormal direct memory growth after patching.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-400: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-770: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-44890 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6GitHub_M
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2026-44890Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPnetty-codec-redis: netty-codec-redis: Denial of Service via crafted Redis payloads
other:Red Hat severity ratingcvssV3_1
  • 2026-06-11T22:00:53.322Z: Reported to Red Hat.
  • 2026-06-11T20:52:50.980Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
nettynetty>= 4.2.0.Final, < 4.2.15.Final, < 4.1.135.FinalListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-400 · source CWE mapping

Uncontrolled Resource Consumption

Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-770 · source CWE mapping

Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.