CVE-2026-42586
CRLF Injection vulnerability in netty-codec-redis (Maven)
What is CVE-2026-42586 About?
The Netty Redis codec encoder is vulnerable to CRLF Injection due to improper neutralization of CRLF sequences in user-controlled input. This flaw allows attackers to inject arbitrary Redis commands or forge fake responses, leading to Redis Command Injection or Response Poisoning. Exploitation is a low-complexity attack when user-controlled input is not sanitized before being encoded.
Affected Software
- io.netty:netty-codec-redis
- >=4.2.0.Alpha1, <4.2.13.Final
- <4.1.133.Final
Technical Details
The Netty Redis codec encoder (RedisEncoder) fails to validate or sanitize CRLF (\r\n) characters in user-controlled string content before writing it to the network buffer. The Redis Serialization Protocol (RESP) uses CRLF as a delimiter, allowing an attacker to inject these characters to terminate a legitimate command/response and append new, arbitrary commands or responses. Specifically, the writeString() method in RedisEncoder.java uses ByteBufUtil.writeUtf8() without any CRLF validation. Additionally, message constructors like InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage lack input validation for CRLF, inheriting from AbstractStringRedisMessage which only checks for null content. This enables scenarios like injecting FLUSHALL after a PING command, or forging fake responses that appear legitimate to a client processing Netty's output.
What is the Impact of CVE-2026-42586?
Successful exploitation may allow attackers to inject arbitrary Redis commands, leading to command execution, data modification (SET/DEL/FLUSHALL), configuration changes (`CONFIG SET`), or denial of service (`SHUTDOWN`). It can also enable response poisoning, allowing an attacker to inject fake data into client responses, corrupting application logic or leading to further exploitation.
What is the Exploitability of CVE-2026-42586?
This vulnerability has a low attack complexity. It is exploitable when an application uses Netty's codec-redis module, places user-controlled input into specific message types (InlineCommandRedisMessage, SimpleStringRedisMessage, or ErrorRedisMessage), and does not perform its own CRLF sanitization. No authentication or privileges are required to exploit this at the library boundary, but the attacker must have remote network access to an application that exposes this Redis communication. The attack can originate from a client providing malicious input or a malicious upstream Redis server poisoning responses. The primary constraint is the specific usage of the affected Redis message types and lack of application-level sanitization. The risk is high if user input directly influences Redis commands or responses, especially in proxy or custom client implementations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-42586?
Available Upgrade Options
- io.netty:netty-codec-redis
- <4.1.133.Final → Upgrade to 4.1.133.Final
- io.netty:netty-codec-redis
- >=4.2.0.Alpha1, <4.2.13.Final → Upgrade to 4.2.13.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://redis.io/docs/reference/protocol-spec
- https://osv.dev/vulnerability/GHSA-rgrr-p7gp-5xj7
- https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
- https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7
- https://github.com/netty/netty
- https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
What are Similar Vulnerabilities to CVE-2026-42586?
Similar Vulnerabilities: CVE-2021-39144 , CVE-2020-11029 , CVE-2019-11358 , CVE-2018-1270 , CVE-2017-7657
