Main Vulnerability Database Vulnerabilities #VU130213

CRLF injection in Netty - CVE-2026-42586

Published: May 5, 2026

Vulnerability identifier: #VU130213

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-42586

CWE-ID: CWE-93

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to inject Redis commands or poison Redis responses.

The vulnerability exists due to improper neutralization of CRLF sequences in io.netty.handler.codec.redis.RedisEncoder when encoding user-controlled Redis message content. A remote attacker can supply crafted content containing CRLF characters to inject Redis commands or poison Redis responses.

The issue affects inline command mode and simple string or error response types, while RESP array format with binary-safe length-prefixed encoding is not affected.

How to mitigate CVE-2026-42586

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7

CRLF injection in Netty - CVE-2026-42586

Detailed vulnerability description

How to mitigate CVE-2026-42586

Sources

Please verify you're human