SecuriTricks - CVE-2026-50011

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Product(s) Impacted

Vendor	Product	Versions
Netty	Netty	<4.1.135.Final, <4.2.15.Final

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	netty	netty	<4.1.135.Final	/	/	/	/	/	/	/
a	netty	netty	<4.2.15.Final	/	/	/	/	/	/	/

References

https://github.com/netty/netty/releases/tag/netty-4.1.135.Final

https://github.com/netty/netty/releases/tag/netty-4.2.15.Final

https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: June 12, 2026, 4:16 p.m.
Last Modified: June 12, 2026, 4:18 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

CVE-2026-50011