PatchSiren cyber security CVE debrief
CVE-2026-48006 netty CVE debrief
A high-severity vulnerability was discovered in Netty, a network application framework. The RedisArrayAggregator handler is susceptible to a denial-of-service attack due to a memory leak. When a Redis pipeline connection closes before a RESP array aggregate completes, the handler retains child messages in its state without releasing them, leading to a permanent leak of pooled direct-memory buffers. This issue affects Netty versions prior to 4.1.135.Final and 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty, particularly those utilizing the RedisArrayAggregator handler in their applications, should be aware of this vulnerability. Developers and administrators responsible for maintaining and securing network applications built with Netty are advised to take immediate action.
Technical summary
The RedisArrayAggregator handler in Netty leaks pooled direct-memory buffers when a Redis pipeline connection closes prematurely. This occurs because the handler maintains child messages in its state (depths field) without implementing methods to release them during pipeline teardown (channelInactive, handlerRemoved, or exceptionCaught). As the leaked buffers are slices of PooledByteBufAllocator chunks, they prevent these chunks from being returned to the JVM-wide direct-memory pool. This leads to a monotonic drain of the shared pool, eventually causing allocation failures across all Netty channels in the process.
Defensive priority
High
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final, which patches this issue.
- Review and update affected applications to ensure they use patched versions of Netty.
Evidence notes
CVE-2026-48006 has a CVSS score of 8.7 and is classified as HIGH severity. The vulnerability was published on 2026-06-12T16:16:30.450Z and last modified on 2026-06-12T16:18:27.287Z.
Official resources
CVE-2026-48006 was published on 2026-06-12T16:16:30.450Z and last modified on 2026-06-12T16:18:27.287Z.