GHSA-5w86-c3rq-vjj7: Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length
Summary
Netty's RedisArrayAggregator has a vulnerability where it pre-allocates memory (reserves space in a data structure) based on array sizes claimed in incoming messages, without checking if those sizes are reasonable. An attacker can send a message claiming an extremely large array size, causing the system to try reserving huge amounts of memory and crash or become unresponsive, even though they don't send the actual array data.
Vulnerability Details
EPSS: 0.3%
Yes
June 15, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-5w86-c3rq-vjj7
First tracked: June 15, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%