Main Vulnerability Database Vulnerabilities #VU130213

CRLF injection in Netty - CVE-2026-42586

Published: May 5, 2026

Vulnerability identifier: #VU130213

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-42586

CWE-ID: CWE-93

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Netty

Software vendor:
Netty project

Description

The vulnerability allows a remote attacker to inject Redis commands or poison Redis responses.

The vulnerability exists due to improper neutralization of CRLF sequences in io.netty.handler.codec.redis.RedisEncoder when encoding user-controlled Redis message content. A remote attacker can supply crafted content containing CRLF characters to inject Redis commands or poison Redis responses.

The issue affects inline command mode and simple string or error response types, while RESP array format with binary-safe length-prefixed encoding is not affected.

Remediation

Install security update from vendor's website.

External links

https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7

CRLF injection in Netty - CVE-2026-42586

Description

Remediation

External links

Please verify you're human