CVE-2026-42586

EUVD-2026-30129
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
nettynetty
𝑥
< 4.1.133
nettynetty
4.2.0 ≤
𝑥
< 4.2.13
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netty
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
vulnerable
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
netty-tcnative
suse enterprise desktop 15 SP7
2.0.77-150200.3.39.1
fixed
suse enterprise sap 15 SP4
2.0.77-150200.3.39.1
fixed
suse enterprise sap 15 SP5
2.0.77-150200.3.39.1
fixed
suse enterprise sap 15 SP6
2.0.77-150200.3.39.1
fixed
suse enterprise sap 15 SP7
2.0.77-150200.3.39.1
fixed
suse enterprise server 15 SP4
2.0.77-150200.3.39.1
fixed
suse enterprise server 15 SP5
2.0.77-150200.3.39.1
fixed
suse enterprise server 15 SP6
2.0.77-150200.3.39.1
fixed
suse enterprise server 15 SP7
2.0.77-150200.3.39.1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7
https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7