ArrayList Pre-allocation Flaw in Netty Framework Affects Multiple Versions
CVE-2026-50011

7.5HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-50011?

The Netty framework, widely used for developing protocol servers and clients, exhibits a vulnerability in its RedisArrayAggregator. The flaw arises from the pre-allocation of an ArrayList with a capacity determined by the RESP array element count declared in an array header. Since this count is derived from network data before the corresponding child messages are processed, an attacker can exploit this by sending a specially crafted header that claims an excessively large initial capacity. This can lead to denial of service or resource exhaustion. Users should upgrade to versions 4.1.135.Final or 4.2.15.Final to mitigate this risk.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final

netty < 4.1.135.Final < 4.1.135.Final

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.