PatchSiren cyber security CVE debrief
CVE-2026-50011 netty CVE debrief
A vulnerability was discovered in Netty, a network application framework, affecting the RedisArrayAggregator component. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator pre-allocates an ArrayList with an initial capacity equal to the RESP array element count declared in an array header. This count is taken from the wire before the corresponding child messages exist, allowing a small malicious header to claim a huge initial capacity, potentially leading to a Denial of Service (DOS) attack. The CVSS score for this vulnerability is 7.5, indicating a HIGH severity. The vulnerability was patched in Netty versions 4.1.135.Final and 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final should update to a patched version to mitigate this vulnerability.
Technical summary
The RedisArrayAggregator in Netty is vulnerable to a DOS attack due to pre-allocating an ArrayList with a potentially large initial capacity based on a malicious header.
Defensive priority
HIGH
Recommended defensive actions
- Update to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Review and monitor RedisArrayAggregator usage in your application.
Evidence notes
Evidence from the NVD and CVE.org.
Official resources
CVE-2026-50011 was published on 2026-06-12T16:16:31.313Z and modified on 2026-06-12T16:18:27.287Z.