How is CVE-2026-44250 exploited?

Network reachability (required): The attacker must be able to reach the service over the network to deliver a crafted Redis protocol payload. Authentication (not-required): No credentials or account of any kind are needed to send the malicious payload. Victim interaction (not-required): The vulnerability triggers purely through the inbound network payload; no user action is required. Attack complexity (info): The exploit is reliable and condition-free: sending a specifically crafted deeply nested array payload is sufficient to trigger memory exhaustion without needing to satisfy any race condition or environmental prerequisite.

What is the impact of CVE-2026-44250?

The affected JVM process exhausts available heap memory, resulting in an OutOfMemoryError that crashes or permanently hangs the application. All in-flight requests and active connections served by the Netty application are dropped at the moment of memory exhaustion. Dependent services that rely on the Netty-based endpoint lose connectivity, potentially cascading disruption to downstream consumers.

Back to search

HIGHCVE-2026-44250Published 2026-06-11Modified 2026-06-12CNA GitHub_M

CVE-2026-44250: Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Memory exhaustion vulnerability in the netty-codec-redis component of the Netty network application framework. An unauthenticated remote attacker can send a crafted Redis protocol payload containing deeply nested arrays, forcing the server to allocate a massive number of state objects until the JVM throws an OutOfMemoryError. Successful exploitation causes a full denial of service of the affected application. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fixed release.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle netty-codec-redis transitively. Coverage applies to both registry scans and pipeline-integrated build checks.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency. Routed findings land in the inbox of the team or individual designated for the affected workload inside each customer org.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available at the corrected version the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the service over the network to deliver a crafted Redis protocol payload.
AuthenticationNot required
No credentials or account of any kind are needed to send the malicious payload.
Victim interactionNot required
The vulnerability triggers purely through the inbound network payload; no user action is required.
Attack complexityDetail
The exploit is reliable and condition-free: sending a specifically crafted deeply nested array payload is sufficient to trigger memory exhaustion without needing to satisfy any race condition or environmental prerequisite.

Blast Radius

The affected JVM process exhausts available heap memory, resulting in an OutOfMemoryError that crashes or permanently hangs the application.
All in-flight requests and active connections served by the Netty application are dropped at the moment of memory exhaustion.
Dependent services that rely on the Netty-based endpoint lose connectivity, potentially cascading disruption to downstream consumers.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all images containing affected versions of netty-codec-redis (4.2.x before 4.2.15.Final and 4.1.x before 4.1.135.Final). Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle. When upstream publishes the patched release, a rebuilt image at the fix version becomes available immediately, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation that restricts which sources can establish Redis protocol connections to the affected service, egress filtering to limit unexpected amplification, and, where application design permits, a feature-flag or configuration change to disable Redis array parsing for untrusted input paths.

See how HarborGuard automates this

Affected packages

netty / netty
>= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified