Memory Leak in Netty Framework Affects Redis Pipeline Connections
CVE-2026-48006

8.7HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-48006?

The Netty Framework has a vulnerability that causes memory leaks through the RedisArrayAggregator handler. When a Redis pipeline connection is closed prematurely, memory buffers intended for direct use are not freed due to the absence of essential channel handling methods. This oversight allows retained child messages to linger, leading to the depletion of the JVM-wide direct-memory pool upon repeated connection cycles. As a result, the issue can culminate in allocation failures, adversely impacting all Netty channels and potentially degrading application performance. Users are advised to upgrade to versions 4.1.135.Final or 4.2.15.Final to mitigate this issue.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.