CVE-2026-50011
HIGH 7.5Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.4%chance of exploitation in 30 days · 29th percentile
Impact if exploited
7.5CVSS 3.1 · HIGH
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Netty Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Data Grid 8 Red Hat Fuse 7 Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
Weakness (CWE)
- CWE-400: Uncontrolled resource consumption
- CWE-770: Allocation without limits
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Technical & other
- https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
- https://access.redhat.com/security/cve/CVE-2026-50011
- https://bugzilla.redhat.com/show_bug.cgi?id=2488413
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50011.json