{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44890","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-07T21:50:33.545Z","datePublished":"2026-06-11T20:52:50.980Z","dateUpdated":"2026-06-30T12:10:23.761Z"},"containers":{"cna":{"title":"Netty has Unbounded Direct Memory Consumption in its RedisDecoder","problemTypes":[{"descriptions":[{"cweId":"CWE-400","lang":"en","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3","tags":["x_refsource_CONFIRM"],"url":"https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3"},{"name":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","tags":["x_refsource_MISC"],"url":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"},{"name":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","tags":["x_refsource_MISC"],"url":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}],"affected":[{"vendor":"netty","product":"netty","versions":[{"version":">= 4.2.0.Final, < 4.2.15.Final","status":"affected"},{"version":"< 4.1.135.Final","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-11T20:52:50.980Z"},"descriptions":[{"lang":"en","value":"Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\\r\\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}],"source":{"advisory":"GHSA-6ghj-frrj-jjj3","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-12T10:05:11.294129Z","id":"CVE-2026-44890","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-12T10:05:37.476Z"}},{"affected":[{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"affected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"unaffected","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"}],"datePublic":"2026-06-11T20:52:50.980Z","descriptions":[{"lang":"en","value":"A flaw was found in netty-codec-redis. A remote attacker can exploit this vulnerability by sending specially crafted Redis payloads across multiple connections without proper termination. This can exhaust the server's direct memory pool, leading to a Denial of Service (DoS) condition where legitimate connections cannot be processed."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-44890"},{"name":"RHBZ#2488053","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2488053"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44890.json"}],"timeline":[{"lang":"en","time":"2026-06-11T22:00:53.322Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-11T20:52:50.980Z","value":"Made public."}],"title":"netty-codec-redis: netty-codec-redis: Denial of Service via crafted Redis payloads","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:10:23.761Z"}}]}}