CVE-2026-44250
HIGH 7.5Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.4%chance of exploitation in 30 days · 29th percentile
Impact if exploited
7.5CVSS 3.1 · HIGH
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Netty Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Data Grid 8 Red Hat Fuse 7 Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
Weakness (CWE)
- CWE-400: Uncontrolled resource consumption
- CWE-770: Allocation without limits
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Technical & other
- https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
- https://access.redhat.com/security/cve/CVE-2026-44250
- https://bugzilla.redhat.com/show_bug.cgi?id=2488062
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44250.json