Main Vulnerability Database Vulnerabilities #VU133461

Allocation of Resources Without Limits or Throttling in Netty - #VU133461

Published: June 8, 2026

Vulnerability identifier: #VU133461

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in RedisArrayAggregator when processing RESP array headers. A remote attacker can send a specially crafted array header with a large declared element count to cause a denial of service.

The backing array allocation is attempted based on the declared array length before the corresponding child messages are received.

Remediation

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7

Allocation of Resources Without Limits or Throttling in Netty - #VU133461

Detailed vulnerability description

Remediation

Sources

Please verify you're human