CVE-2026-44250

Name of the Vulnerable Software and Affected Versions netty-codec-redis versions prior to 4.1.135.Final netty-codec-redis versions prior to 4.2.15.Final

Description A denial of service can occur when an attacker sends a crafted Redis payload containing deeply nested arrays. The io.netty.handler.codec.redis.RedisArrayAggregator function aggregates RedisMessage parts into ArrayRedisMessage using a Deque<AggregateState> to track nested arrays. Because there is no limit on the maximum depth of these arrays, a continuous stream of nested array headers forces the server to allocate a massive number of AggregateState instances and ArrayList collections. This leads to heap memory exhaustion and an OutOfMemoryError.

Recommendations Update to version 4.1.135.Final. Update to version 4.2.15.Final.