Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
GHSA-3244-j874-rhc2 · CVE-2026-44250
Published · Modified
Description
Summary
An attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError.
Details
io.netty.handler.codec.redis.RedisArrayAggregator aggregates RedisMessage parts into ArrayRedisMessage. It uses a Deque<AggregateState> to keep track of nested arrays. However, it does not limit the maximum depth of nested arrays. When an attacker sends a continuous stream of nested array headers (e.g., *1\r\n*1\r\n*1\r\n...), RedisArrayAggregator pushes a new AggregateState onto the stack and allocates a new ArrayList for each header. Because there is no depth limit, an attacker can send millions of such headers. This consumes a massive amount of heap memory for the AggregateState instances and their backing ArrayLists, eventually resulting in an OutOfMemoryError.
Impact
Denial of Service due to memory exhaustion. Any application using Netty's RedisArrayAggregator to handle untrusted Redis traffic is vulnerable.
References
- WEB https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44250
- PACKAGE https://github.com/netty/netty
- WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
Ready to move
Start Securing
Free, no credit card | First findings in minutes