How is CVE-2026-44890 exploited?

Network reachability (required): The attacker must reach the Netty Redis service over the network; the vulnerable component is exposed via a standard network socket. Authentication (not-required): No credentials or account are needed; the attack works against any unauthenticated Redis endpoint handled by Netty. Victim interaction (not-required): No user or operator action is required; the attacker sends crafted payloads directly to the service. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

What is the impact of CVE-2026-44890?

Crashes the Netty process or exhausts its direct memory pool, making the service unable to accept or process any new connections. All in-flight Redis operations handled by the affected Netty instance are dropped, causing request failures for any downstream application relying on that connection pool. Recovery requires a process restart or memory reclamation, creating a sustained outage window proportional to how quickly operations teams detect and respond to the OutOfDirectMemoryError.

Back to search

HIGHCVE-2026-44890Published 2026-06-11Modified 2026-06-12CNA GitHub_M

CVE-2026-44890: Netty has Unbounded Direct Memory Consumption in its RedisDecoder

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unbounded direct memory consumption vulnerability exists in Netty's RedisDecoder component (netty-codec-redis). A remote, unauthenticated attacker can exploit this by sending crafted Redis protocol payloads across multiple connections that lack the expected carriage-return/newline terminator, exhausting the server's off-heap direct memory pool and triggering an OutOfDirectMemoryError that prevents legitimate connections from being processed. Successful exploitation results in a full denial of service for the affected Netty instance. Fix versions 4.1.135.Final and 4.2.15.Final address the issue; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream packages are published to standard repositories.

HarborGuard Coverage

Detection

Detection for CVE-2026-44890 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle netty-codec-redis as a transitive dependency.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and applies per-environment compliance policy weighting to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 4.1.135.Final or 4.2.15.Final appears in upstream package repositories. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Netty Redis service over the network; the vulnerable component is exposed via a standard network socket.
AuthenticationNot required
No credentials or account are needed; the attack works against any unauthenticated Redis endpoint handled by Netty.
Victim interactionNot required
No user or operator action is required; the attacker sends crafted payloads directly to the service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

Blast Radius

Crashes the Netty process or exhausts its direct memory pool, making the service unable to accept or process any new connections.
All in-flight Redis operations handled by the affected Netty instance are dropped, causing request failures for any downstream application relying on that connection pool.
Recovery requires a process restart or memory reclamation, creating a sustained outage window proportional to how quickly operations teams detect and respond to the OutOfDirectMemoryError.

How HarborGuard Handles This

Available on HarborGuard: because no patched package has been published yet, HarborGuard continuously monitors the upstream advisory for netty-codec-redis on every ingest cycle. The moment 4.1.135.Final or 4.2.15.Final is indexed in upstream repositories, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, HarborGuard will trigger a rebuild, run regression tests, and open a PR against affected workloads without requiring manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict which clients can reach the Netty Redis port, egress filtering to limit lateral exposure if the service is compromised, and where architecturally feasible, placing a protocol-aware proxy in front of the Netty endpoint to reject malformed Redis frames before they reach the decoder.

See how HarborGuard automates this

Affected packages

netty / netty
>= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified