Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator

Vulnerability

The RedisArrayAggregator handler in Netty's netty-codec-redis module (versions 4.2.0.Final through 4.2.14.Final and all versions up to 4.1.134.Final) lacks lifecycle cleanup methods (channelInactive, handlerRemoved, exceptionCaught). When a Redis pipeline connection closes before a RESP array aggregate completes, the handler retains child messages in its per-handler state (depths field) without releasing them. These retained buffers are slices of PooledByteBufAllocator chunks, preventing those chunks from being returned to the JVM-wide direct-memory pool [1][2].

Exploitation

An attacker needs only the ability to establish and close Redis pipeline connections to a Netty server using the affected handler. No authentication or special privileges are required. By repeatedly opening and closing connections before RESP array aggregates finish, the attacker triggers the leak on each teardown. The lack of any cleanup method means every incomplete aggregate permanently consumes direct memory [1][2].

Impact

Repeated connection churn monotonically drains the shared direct-memory pool, eventually causing OutOfMemoryError allocation failures on all Netty channels in the same JVM process. This results in a denial-of-service (DoS) condition affecting all services using the affected Netty version [1][2].

Mitigation

The vulnerability is fixed in Netty versions 4.2.15.Final and 4.1.135.Final, released on June 5, 2026 [1][2]. Users should upgrade to these versions or later. No workaround is available; the only mitigation is to apply the patch. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.