PatchSiren cyber security CVE debrief
CVE-2026-44890 netty CVE debrief
CVE-2026-44890 is a high-severity vulnerability in Netty, a network application framework. The vulnerability allows an attacker to cause a Denial of Service (DoS) by sending crafted Redis payloads across multiple connections without `r n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. The vulnerability affects netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Netty, particularly those using netty-codec-redis, should be aware of this vulnerability and take steps to mitigate it. This includes updating to versions 4.1.135.Final or 4.2.15.Final, or later.
Technical summary
The vulnerability is caused by the lack of proper handling of Redis payloads in netty-codec-redis. An attacker can exploit this vulnerability by sending crafted Redis payloads across multiple connections without `r n`, which can cause the server's direct memory pool to be exhausted, leading to an OutOfDirectMemoryError. This prevents legitimate connections from being processed, resulting in a Denial of Service (DoS).
Defensive priority
High
Recommended defensive actions
- Update to versions 4.1.135.Final or 4.2.15.Final, or later.
- Implement proper handling of Redis payloads in netty-codec-redis.
Evidence notes
The vulnerability is documented in the CVE record [resourceLinkAnnotations:cve-org] and the NVD detail [resourceLinkAnnotations:nvd]. Additional information can be found in the source item [resourceLinkAnnotations:source-item] and the source references [resourceLinkAnnotations:ref-4], [resourceLinkAnnotations:ref-5], and [resourceLinkAnnotations:ref-6].
Official resources
CVE-2026-44890 was published on 2026-06-11T22:16:56.997Z and last modified on 2026-06-12T15:55:06.377Z.