ArrayList Pre-allocation Flaw in Netty Framework Affects Multiple Versions
CVE-2026-50011
7.5HIGH
What is CVE-2026-50011?
The Netty framework, widely used for developing protocol servers and clients, exhibits a vulnerability in its RedisArrayAggregator. The flaw arises from the pre-allocation of an ArrayList with a capacity determined by the RESP array element count declared in an array header. Since this count is derived from network data before the corresponding child messages are processed, an attacker can exploit this by sending a specially crafted header that claims an excessively large initial capacity. This can lead to denial of service or resource exhaustion. Users should upgrade to versions 4.1.135.Final or 4.2.15.Final to mitigate this risk.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
