GHSA-5W86-C3RQ-VJJ7 Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length

Summary RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Details The...

CVE-2026-44890 Netty has Unbounded Direct Memory Consumption in its RedisDecoder

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct...

CVE-2026-44890

Netty has Unbounded Direct Memory Consumption in its RedisDecoder (CVE-2026-44890). In netty-codec-redis, versions before 4.1.135.Final and 4.2.15.Final allow an attacker to cause a DoS by sending crafted Redis payloads across multiple connections that omit "\r\n", exhausting the server’s direct ...

PT-2026-47602

Name of the Vulnerable Software and Affected Versions Netty affected versions not specified Description A Denial of Service DoS issue exists where an attacker can exhaust the server's direct memory pool, leading to an OutOfDirectMemoryError and preventing legitimate connections. This occurs becau...

PT-2026-47555

Summary An attacker can cause DoS by sending crafted Redis payloads across multiple connections without r . This exhausts the server's direct memory pool OutOfDirectMemoryError, preventing legitimate connections from being processed. Details io.netty.handler.codec.redis.RedisDecoder decodes the...