PatchSiren cyber security CVE debrief
CVE-2026-44250 netty CVE debrief
CVE-2026-44250 is a high-severity vulnerability in Netty's netty-codec-redis component. An attacker can cause a Denial of Service (DoS) by sending a crafted Redis payload with deeply nested arrays, leading to memory exhaustion and an OutOfMemoryError. This vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The issue was patched in versions 4.1.135.Final and 4.2.15.Final of Netty.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Netty's netty-codec-redis component, particularly those who handle Redis payloads, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final. An attacker can exploit this vulnerability by sending a crafted Redis payload with deeply nested arrays, which forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later
- Implement input validation and sanitization for Redis payloads
- Monitor server memory usage and adjust configuration as needed
Evidence notes
The CVE record [resourceLinkAnnotations:cve-org] provides official details on this vulnerability. Additional information can be found in the Netty releases [resourceLinkAnnotations:ref-4], [resourceLinkAnnotations:ref-5] and security advisory [resourceLinkAnnotations:ref-6].
Official resources
CVE-2026-44250 was published on [cvePublishedAt:2026-06-11T22:16:56.857Z] and modified on [cveModifiedAt:2026-06-12T15:55:06.377Z].