CVE-2026-48006
HIGHCVSS v3.1: 7.5 · EPSS: 0.0004 (12.5 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.5 v3.1 · NVD
- EPSS
- 0.0004 (12.5 percentile) · FIRST.org
- CISA KEV
- No
- Type
- Memory Leak · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Affected vendors
- netty
- Published
- 2026-06-12 · Modified: 2026-06-15
- References
- Jump to references (3)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.