GHSA-5w86-c3rq-vjj7

Source

https://github.com/advisories/GHSA-5w86-c3rq-vjj7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5w86-c3rq-vjj7/GHSA-5w86-c3rq-vjj7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5w86-c3rq-vjj7

Aliases

CVE-2026-50011

Related

CGA-8mwc-q65h-98w5

Published

2026-06-15T20:46:16Z

Modified

2026-06-16T18:29:23.153230629Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length

Details

Summary

RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity.

Details

The aggregator starts a new aggregation level when it receives an ArrayHeaderRedisMessage. For positive lengths it pushes AggregateState, whose constructor runs new ArrayList<>(length). No configurable maximum is applied in this handler, and the peer does not need to supply the array elements for the backing array allocation to occur.

In the same pipeline, RedisDecoder enforces RedisConstants.REDISMESSAGEMAX_LENGTH for bulk string lengths but does not apply that cap to array header lengths. Declared array sizes can therefore be extremely large while still passing decoding, and the aggregator immediately attempts Object[] reservation.

io.netty.handler.codec.redis.RedisDecoder#decodeLength io.netty.handler.codec.redis.RedisArrayAggregator#decodeRedisArrayHeader

Impact

Availability / resource exhaustion via unbounded pre-allocation from untrusted RESP array headers.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:46:16Z",
    "nvd_published_at": "2026-06-12T16:16:31Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ]
}

References

Affected packages

Maven / io.netty:netty-codec-redis

Package

Name: io.netty:netty-codec-redis; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec-redis

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0.Final

Fixed

4.2.15.Final

Affected versions

4.*

4.2.0.Final

4.2.1.Final

4.2.2.Final

4.2.3.Final

4.2.4.Final

4.2.5.Final

4.2.6.Final

4.2.7.Final

4.2.8.Final

4.2.9.Final

4.2.10.Final

4.2.11.Final

4.2.12.Final

4.2.13.Final

4.2.14.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5w86-c3rq-vjj7/GHSA-5w86-c3rq-vjj7.json"

last_known_affected_version_range

"<= 4.2.14.Final"

Maven / io.netty:netty-codec-redis

Package

Name: io.netty:netty-codec-redis; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec-redis

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.135.Final

Affected versions

4.*

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

4.1.60.Final

4.1.61.Final

4.1.62.Final

4.1.63.Final

4.1.64.Final

4.1.65.Final

4.1.66.Final

4.1.67.Final

4.1.68.Final

4.1.69.Final

4.1.70.Final

4.1.71.Final

4.1.72.Final

4.1.73.Final

4.1.74.Final

4.1.75.Final

4.1.76.Final

4.1.77.Final

4.1.78.Final

4.1.79.Final

4.1.80.Final

4.1.81.Final

4.1.82.Final

4.1.83.Final

4.1.84.Final

4.1.85.Final

4.1.86.Final

4.1.87.Final

4.1.88.Final

4.1.89.Final

4.1.90.Final

4.1.91.Final

4.1.92.Final

4.1.93.Final

4.1.94.Final

4.1.95.Final

4.1.96.Final

4.1.97.Final

4.1.98.Final

4.1.99.Final

4.1.100.Final

4.1.101.Final

4.1.102.Final

4.1.103.Final

4.1.104.Final

4.1.105.Final

4.1.106.Final

4.1.107.Final

4.1.108.Final

4.1.109.Final

4.1.110.Final

4.1.111.Final

4.1.112.Final

4.1.113.Final

4.1.114.Final

4.1.115.Final

4.1.116.Final

4.1.117.Final

4.1.118.Final

4.1.119.Final

4.1.120.Final

4.1.121.Final

4.1.122.Final

4.1.123.Final

4.1.124.Final

4.1.125.Final

4.1.126.Final

4.1.127.Final

4.1.128.Final

4.1.129.Final

4.1.130.Final

4.1.131.Final

4.1.132.Final

4.1.133.Final

4.1.134.Final

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5w86-c3rq-vjj7/GHSA-5w86-c3rq-vjj7.json"

last_known_affected_version_range

"<= 4.1.134.Final"