Medium severity6.8GHSA Advisory· Published May 13, 2026· Updated May 18, 2026
CVE-2026-42586
CVE-2026-42586
Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-codec-redisMaven | >= 4.2.0.Alpha1, < 4.2.13.Final | 4.2.13.Final |
io.netty:netty-codec-redisMaven | < 4.1.133.Final | 4.1.133.Final |
Affected products
54- osv-coords52 versionspkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/druidpkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/seata-serverpkg:apk/chainguard/tezpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-pinotpkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/druidpkg:apk/wolfi/management-api-for-apache-cassandra-4.1pkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/tezpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-pinotpkg:maven/io.netty/netty-codec-redispkg:rpm/opensuse/netty&distro=openSUSE%20Tumbleweedpkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6
< 2.17.0-r15+ 51 more
- (no CPE)range: < 2.17.0-r15
- (no CPE)range: < 2.17.0-r15
- (no CPE)range: < 0.5.4-r23
- (no CPE)range: < 0.6.3-r3
- (no CPE)range: < 37.0.0-r8
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 1.5.0-r8
- (no CPE)range: < 1.5.0-r10
- (no CPE)range: < 2.6.0-r9
- (no CPE)range: < 0.10.5-r12
- (no CPE)range: < 4.3.1.1-r9
- (no CPE)range: < 4.3.1.1-r9
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 0.5.4-r23
- (no CPE)range: < 0.6.3-r3
- (no CPE)range: < 37.0.0-r8
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 0.10.5-r12
- (no CPE)range: < 4.3.1.1-r9
- (no CPE)range: < 4.3.1.1-r9
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: >= 4.2.0.Alpha1, < 4.2.13.Final
- (no CPE)range: < 4.1.133-1.1
- (no CPE)range: < 4.1.133-150200.4.46.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
Patches
Vulnerability mechanics
References
6- github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-rgrr-p7gp-5xj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42586ghsaADVISORY
- github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4ghsaWEB
- github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86ghsaWEB
- redis.io/docs/reference/protocol-specghsaWEB
News mentions
0No linked articles in our index yet.