CVE-2026-42586 MEDIUM

CVE-2026-42586: Netty: CRLF Injection in Netty Redis Codec Encoder

Vendor Netty
Product netty
Weakness CWE-93 · CRLF injection
Published May 13, 2026
Last update May 14, 2026

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE