Memory Leak in Netty Framework Affects Redis Pipeline Connections
CVE-2026-48006
What is CVE-2026-48006?
The Netty Framework has a vulnerability that causes memory leaks through the RedisArrayAggregator handler. When a Redis pipeline connection is closed prematurely, memory buffers intended for direct use are not freed due to the absence of essential channel handling methods. This oversight allows retained child messages to linger, leading to the depletion of the JVM-wide direct-memory pool upon repeated connection cycles. As a result, the issue can culminate in allocation failures, adversely impacting all Netty channels and potentially degrading application performance. Users are advised to upgrade to versions 4.1.135.Final or 4.2.15.Final to mitigate this issue.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
