{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44250", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-05T16:33:55.844Z", "datePublished": "2026-06-11T20:49:00.487Z", "dateUpdated": "2026-06-12T13:44:45.503Z"}, "containers": {"cna": {"title": "Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2"}, {"name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"}, {"name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": ">= 4.2.0.Final, < 4.2.15.Final", "status": "affected"}, {"version": "< 4.1.135.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-11T20:49:00.487Z"}, "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}], "source": {"advisory": "GHSA-3244-j874-rhc2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-12T13:44:38.298945Z", "id": "CVE-2026-44250", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T13:44:45.503Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-12T13:44:38.298945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T13:44:42.022Z"}}], "cna": {"title": "Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays", "source": {"advisory": "GHSA-3244-j874-rhc2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": ">= 4.2.0.Final, < 4.2.15.Final"}, {"status": "affected", "version": "< 4.1.135.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2", "name": "https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final", "name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-11T20:49:00.487Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44250", "state": "PUBLISHED", "dateUpdated": "2026-06-12T13:44:45.503Z", "dateReserved": "2026-05-05T16:33:55.844Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-11T20:49:00.487Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "3097D962-A32D-4467-AAE7-F4CBA3A349D2", "versionEndExcluding": "4.1.135", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "413D4611-A46C-4BE4-AB2F-D86282F65984", "versionEndExcluding": "4.2.15", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}], "id": "CVE-2026-44250", "lastModified": "2026-06-15T02:30:38.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-06-11T22:16:56.857", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "netty-codec-redis: netty-codec-redis: Denial of Service via crafted Redis payload with deeply nested arrays", "id": "2488062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488062"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.", "A flaw was found in netty-codec-redis. A remote attacker can exploit this vulnerability by sending a specially crafted Redis payload containing deeply nested arrays. This action forces the server to allocate a large number of state objects and collections, leading to memory exhaustion. Consequently, this can result in a Denial of Service (DoS) condition, rendering the affected server unresponsive."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to services utilizing netty-codec-redis to trusted clients and networks only. Implement firewall rules to limit exposure of the Redis service or the application using it to prevent unauthenticated remote attackers from sending malicious payloads. This may impact legitimate client connections if not configured carefully. A service restart may be required for firewall rule changes to take effect."}, "name": "CVE-2026-44250", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "netty-codec-redis", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "netty-codec-redis", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "netty-codec-redis", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "netty-codec-redis", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "netty-codec-redis", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "netty-codec-redis", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-06-11T20:49:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-44250\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44250\nhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final\nhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final\nhttps://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2"], "statement": "This is an Important denial of service vulnerability in netty-codec-redis, affecting Red Hat products that process Redis payloads. A remote attacker can exhaust server memory by sending a crafted Redis payload with deeply nested arrays, leading to an OutOfMemoryError and rendering the service unresponsive. This impact is significant due to the potential for complete service disruption without authentication.", "threat_severity": "Important"}