CVE-2026-42586

About vulnerability

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected product:

Apache CXF , Apache Kafka , Apache Log4j , Apache Spark , Eclipse Jetty , Netty , Spring , Wildfly , artemis , async-http-client , azure-sdk-for-java , camel , cassandra-java-driver , couchbase-jvm-clients , elasticsearch , grpc-java , grpc-netty , infinispan , java-driver , lettuce , logging-flume , neo4j-java-driver , netty , rsocket-java , tika , wildfly , zookeeper

Affected packages:

apache-cxf @ 3.5.11 (+10198 more)

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.