How is CVE-2026-50011 exploited?

Network reachability (required): The attacker must reach the Netty service over the network to deliver a crafted RESP array header, as indicated by AV:N in the CVSS vector. Authentication (not-required): No credentials or session token are needed; the malicious RESP header can be sent by any unauthenticated client that can open a connection to the service. Victim interaction (not-required): No user action is required; the server processes the malicious header automatically upon receipt. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific conditions.

What is the impact of CVE-2026-50011?

The JVM heap on the affected host is exhausted by the pre-allocated ArrayList, crashing the Netty process. Any in-flight requests or queued work handled by that Netty instance are dropped and lost. If the Netty process is the entry point for a larger service, all dependent downstream components lose their upstream connection.

Back to search

HIGHCVE-2026-50011Published 2026-06-12Modified 2026-06-12CNA GitHub_M

CVE-2026-50011: Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An uncontrolled memory allocation vulnerability exists in Netty's RedisArrayAggregator component, affecting versions before 4.1.135.Final and 4.2.15.Final. The flaw is reachable over the network with no authentication required: an attacker sends a crafted RESP array header declaring a very large element count, triggering a massive ArrayList pre-allocation before any actual data arrives. Successful exploitation crashes the affected service by exhausting JVM heap memory. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are confirmed published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Netty as a dependency.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH using the v3.1 vector and weights it against each customer environment's compliance policy to determine priority routing; findings are directed to the team or inbox configured for the affected workload inside each customer org.

Available

Patch

Because no fix versions have been confirmed published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 4.1.135.Final or 4.2.15.Final is confirmed in the upstream feed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Netty service over the network to deliver a crafted RESP array header, as indicated by AV:N in the CVSS vector.
AuthenticationNot required
No credentials or session token are needed; the malicious RESP header can be sent by any unauthenticated client that can open a connection to the service.
Victim interactionNot required
No user action is required; the server processes the malicious header automatically upon receipt.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific conditions.

Blast Radius

The JVM heap on the affected host is exhausted by the pre-allocated ArrayList, crashing the Netty process.
Any in-flight requests or queued work handled by that Netty instance are dropped and lost.
If the Netty process is the entry point for a larger service, all dependent downstream components lose their upstream connection.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published yet, HarborGuard continuously re-checks the advisory on each ingest cycle and will surface a patched-image rebuild automatically once 4.1.135.Final or 4.2.15.Final appears in the upstream feed. For customers with auto-remediation enabled, that moment triggers a full rebuild, regression test run, and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth considering include network-policy rules that restrict which clients can open raw TCP connections to Netty-backed Redis endpoints, egress and ingress filtering at the pod or host level to limit exposure to untrusted senders, and feature-flag or configuration gating to disable RESP array aggregation paths where the application logic permits. HarborGuard will surface the advisory in the findings feed for any image containing an affected Netty version so that engineering and security teams can apply these controls while waiting for the upstream patch.

See how HarborGuard automates this

Affected packages

netty / netty
>= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified