Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length
Summary
| CVE | CVE-2026-50011 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-12 16:16:31 UTC |
| Updated | 2026-06-30 03:20:45 UTC |
| Description | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.003350000 probability, percentile 0.251040000 (date 2026-06-20)
Problem Types: CWE-400 | CWE-770 | CWE-400 CWE-400: Uncontrolled Resource Consumption | CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling | CWE-770 Allocation of Resources Without Limits or Throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Netty | Netty | affected >= 4.2.0.Final, < 4.2.15.Final | Not specified |
| CNA | Netty | Netty | affected < 4.1.135.Final | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel For Spring Boot 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/netty/netty/releases/tag/netty-4.1.135.Final | [email protected] | github.com | Release Notes |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50011.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7 | [email protected] | github.com | Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-50011 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/netty/netty/releases/tag/netty-4.2.15.Final | [email protected] | github.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-12T16:01:17.003Z | Reported to Red Hat. |
| ADP | 2026-06-12T14:52:18.042Z | Made public. |
Workarounds
ADP: To mitigate this issue, restrict network access to services that utilize the netty-codec-redis component and process Redis traffic. Configure firewalls or network access control lists (ACLs) to limit connections to these services from trusted networks or localhost only. This reduces the attack surface by preventing untrusted remote attackers from sending malicious Redis array headers. Consult product-specific documentation for detailed instructions on configuring network access for affected Red Hat products. Reloading or restarting services may be required for network configuration changes to take effect, which could temporarily impact availability.