Denial of Service Vulnerability in Netty's Redis Codec
CVE-2026-44890

7.5HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-44890?

The netty-codec-redis module, a part of the Netty framework, is susceptible to a denial of service (DoS) attack. Attackers can exploit this vulnerability by sending specially crafted Redis payloads across multiple connections, omitting the required line terminators. This exploitation leads to the exhaustion of the server's direct memory pool, resulting in OutOfDirectMemoryError and thereby preventing legitimate connections from being processed. The issue is resolved in netty-codec-redis versions 4.1.135.Final and 4.2.15.Final.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.