CVE-2026-42586

Netty: CRLF Injection in Netty Redis Codec Encoder

Assigner: GitHub_M
Reserved: 28.04.2026 Published: 13.05.2026 Updated: 13.05.2026

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CVSS Score: 6.8

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	netty
Product	netty
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected Version < 4.1.133.Final is affected

Vendor

netty

Product

netty

Versions

Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected
Version < 4.1.133.Final is affected

Vendor	io.netty
Product	netty-codec-redis
Versions	Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected Version < 4.1.133.Final is affected

Vendor

io.netty

Product

netty-codec-redis

Versions

Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected
Version < 4.1.133.Final is affected

References

Problem Types

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE

CVE-2026-42586 PUBLISHED

Netty: CRLF Injection in Netty Redis Codec Encoder

Metrics

Product Status

References

Problem Types