CVE-2026-44890

About vulnerability

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server’s direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Affected product:

Apache CXF , Apache Kafka , Apache Log4j , Apache Spark , Eclipse Jetty , Netty , React , Spring , Wildfly , artemis , async-http-client , azure-sdk-for-java , camel , cassandra-java-driver , couchbase-jvm-clients , elasticsearch , grpc-java , infinispan , java-driver , lettuce , logging-flume , neo4j-java-driver , netty , rsocket-java , tika , wildfly , zookeeper

Affected packages:

netty-all @ 4.1.64.Final (+5954 more)

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server’s direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.