Denial of Service Vulnerability in Netty's Redis Codec
CVE-2026-44890
7.5HIGH
What is CVE-2026-44890?
The netty-codec-redis module, a part of the Netty framework, is susceptible to a denial of service (DoS) attack. Attackers can exploit this vulnerability by sending specially crafted Redis payloads across multiple connections, omitting the required line terminators. This exploitation leads to the exhaustion of the server's direct memory pool, resulting in OutOfDirectMemoryError and thereby preventing legitimate connections from being processed. The issue is resolved in netty-codec-redis versions 4.1.135.Final and 4.2.15.Final.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
