CVE-2026-48006
Undergoing Analysis Undergoing Analysis - In Progress
Memory Leak in Netty RedisArrayAggregator Handler

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-48006
EUVD
EUVD-2026-36492
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty From 4.2.0.Final (inc) to 4.2.15.Final (exc)
netty netty to 4.1.135.Final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability primarily impacts system availability due to memory exhaustion caused by a memory leak in the Netty RedisArrayAggregator handler.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the resulting denial of service or system instability could indirectly affect compliance by disrupting the availability of systems that handle sensitive data.

However, there is no direct information provided about data confidentiality, integrity, or specific regulatory compliance impacts.

Executive Summary

CVE-2026-48006 is a high-severity vulnerability in the Netty library's RedisArrayAggregator handler. It causes a memory leak where pooled direct-memory buffers are not properly released when a Redis pipeline connection closes prematurely before completing a RESP array aggregate.

The handler retains child messages in its internal state but lacks necessary cleanup methods such as channelInactive, handlerRemoved, or exceptionCaught to release these buffers when the connection ends unexpectedly.

Because the leaked buffers are slices of PooledByteBufAllocator chunks, they prevent these chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer gradually drains this shared memory pool, eventually causing allocation failures on all Netty channels within the affected process.

This issue affects Netty versions prior to 4.1.135.Final and 4.2.15.Final, which include patches to fix the problem.

Impact Analysis

This vulnerability primarily impacts system availability by causing memory exhaustion.

Because the leaked buffers prevent memory chunks from being returned to the JVM-wide direct-memory pool, repeated connection churn can drain this shared pool.

Eventually, this leads to allocation failures on all Netty channels in the affected process, potentially causing application crashes or degraded performance.

Detection Guidance

This vulnerability causes a memory leak in the Netty RedisArrayAggregator handler, leading to exhaustion of the JVM-wide direct-memory pool. Detection can focus on monitoring memory usage patterns and JVM direct memory pool exhaustion symptoms.

You can detect this issue by observing repeated allocation failures or increasing direct memory usage in JVM processes running vulnerable Netty versions.

Suggested commands include:

  • Using jcmd to monitor direct memory usage: `jcmd <pid> VM.native_memory summary`
  • Using jstat to monitor JVM memory pools: `jstat -gc <pid> 1000`
  • Checking application logs for repeated allocation failures or errors related to direct memory exhaustion.
  • Monitoring network connections for frequent Redis pipeline connection churn which may trigger the leak.
Mitigation Strategies

The primary mitigation is to upgrade Netty to a patched version where this vulnerability is fixed.

  • Upgrade to Netty version 4.1.135.Final or later.
  • Upgrade to Netty version 4.2.15.Final or later.

Until the upgrade can be applied, reduce Redis pipeline connection churn to minimize memory leaks and monitor JVM direct memory usage closely to detect early signs of exhaustion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart