CVE-2026-50011

Vulnerability

In Netty's io.netty:netty-codec-redis module, the RedisArrayAggregator handler pre-allocates an ArrayList with an initial capacity equal to the element count declared in a RESP array header message (ArrayHeaderRedisMessage). The count is taken directly from the wire before the corresponding child messages exist. Versions prior to 4.1.135.Final and 4.2.15.Final are affected [1][2]. The RedisDecoder enforces RedisConstants.REDIS_MESSAGE_MAX_LENGTH for bulk string lengths but does not cap array header lengths, so a small malicious header can claim a huge capacity [3].

Exploitation

An attacker only needs network access to send a crafted RESP array header with an arbitrarily large declared length. No authentication or additional privileges are required. The attacker sends a single small ArrayHeaderRedisMessage with a high length value; the RedisArrayAggregator immediately creates a new ArrayList with that capacity, triggering memory allocation on the server [3]. The array elements themselves do not need to be provided for the allocation to occur.

Impact

Successful exploitation leads to memory exhaustion on the Netty server, causing a denial of service (availability impact). The attacker does not gain code execution or data access; the impact is purely resource exhaustion via uncontrolled, unbounded pre-allocation of Object[] arrays [3].

Mitigation

The vulnerability is fixed in Netty versions 4.1.135.Final and 4.2.15.Final, released on 2026-06-12 [1][2]. Users should upgrade to one of these versions immediately. No workarounds are documented; if upgrading is not possible, consider placing a rate limiter or input validator before the Redis codec to reject messages with excessive array lengths [3].