CVE-2026-42586: Netty Redis Codec Encoder has a CRLF Injection Issue
| Field | Value |
|---|---|
| Product | Netty |
| Version | 4.2.12.Final (and all prior versions with codec-redis) |
| Component | io.netty.handler.codec.redis.RedisEncoder |
| Vulnerability Type | CWE-93: Improper Neutralization of CRLF Sequences (CRLF Injection) |
| Impact | Redis Command Injection / Response Poisoning |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
References
- github.com/advisories/GHSA-rgrr-p7gp-5xj7
- github.com/netty/netty
- github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
- github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
- github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7
- nvd.nist.gov/vuln/detail/CVE-2026-42586
- redis.io/docs/reference/protocol-spec
Code Behaviors & Features
Detect and mitigate CVE-2026-42586 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →