CVE-2026-48006: Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator

Published Jun 11, 2026
·
Updated

Impact The RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (depths field) but defines no channelInactive, handlerRemoved, or exceptionCaught method to release them when the pipeline tears down. Because the leaked buffers are slices of PooledByteBufAllocator chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process.

Other sources

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (depths field) but defines no channelInactive, handlerRemoved, or exceptionCaught method to release them when the pipeline tears down. Because the leaked buffers are slices of PooledByteBufAllocator chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

MITRE

Affected Software

4 affected componentsFixes available
maven/io.netty:netty-codec-redis<=4.1.134.Final
4.1.135.Final
maven/io.netty:netty-codec-redis>=4.2.0.Final<=4.2.14.Final
4.2.15.Final
Netty Netty<4.1.135
Netty Netty>=4.2.0<4.2.15

Event History

Jun 11, 2026
Advisory Published
via GitHub·01:26 PM
Data Sourced
via GitHub·01:26 PM
DescriptionWeaknessAffected Software
Jun 12, 2026
CVE Published
via MITRE·02:36 PM
Data Sourced
via MITRE·02:36 PM
DescriptionWeakness
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-48006?

The severity of CVE-2026-48006 is high with a CVSS score of 8.7.

2

What impact does CVE-2026-48006 have on applications?

CVE-2026-48006 causes a permanent memory leak of pooled direct-memory buffers if a Redis pipeline connection closes prematurely.

3

How can I fix CVE-2026-48006?

To resolve CVE-2026-48006, upgrade to a patched version of netty-codec-redis that addresses the pooled ByteBuf leak.

4

Which software is affected by CVE-2026-48006?

CVE-2026-48006 affects the netty-codec-redis component of the Netty framework.

5

When was CVE-2026-48006 published?

CVE-2026-48006 was published on June 11, 2026.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203