CVE-2026-44890: Netty has Unbounded Direct Memory Consumption in its RedisDecoder

June 8, 2026 (updated June 12, 2026)

An attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server’s direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed.

References

github.com/advisories/GHSA-6ghj-frrj-jjj3
github.com/netty/netty/releases/tag/netty-4.1.135.Final
github.com/netty/netty/releases/tag/netty-4.2.15.Final
github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3
nvd.nist.gov/vuln/detail/CVE-2026-44890

Code Behaviors & Features

Detect and mitigate CVE-2026-44890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →