CVE-2026-42586 – Netty: CRLF Injection in Netty Redis Codec Encoder

CVE ID :CVE-2026-42586

Published : May 13, 2026, 6:20 p.m. | 37 minutes ago

Description :Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (rn) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-0239 – Chronosphere Chronocollector Information Disclosure Vulnerability

CVE-2026-0250 – GlobalProtect App: Buffer Overflow Vulnerability during connection to Portal or Gateway

CVE-2026-8466 – Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy

CVE-2026-44248 – Netty: Resource exhaustion in MqttDecoder