CVE-2026-42586

6.8 MEDIUM

Netty is an asynchronous, event-driven network application framework

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS: 6.8 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CWE: CWE-93

Affected products

Vendor	Product
netty	netty

Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42586
[Vendor advisory]https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7
[Vendor advisory]https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7

Related CVEs

Same vendor

CVE-2026-48040 — The netty incubator codec.bhttp is a java language binary http parser (9.1 CRITICAL)
CVE-2026-41207 — The netty incubator codec.bhttp is a java language binary http parser (5.3 MEDIUM)
CVE-2026-44248 — Netty is an asynchronous, event-driven network application framework (5.3 MEDIUM)
CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework (7.5 HIGH)
CVE-2026-42585 — Netty is an asynchronous, event-driven network application framework (6.5 MEDIUM)

Same CWE

CVE-2026-50639 — Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections (6.5 MEDIUM)
CVE-2026-50638 — Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
CVE-2026-50637 — Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections
CVE-2026-49756 — Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via att...
CVE-2026-9270 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections (9.1 CRITICAL)