A memory leak vulnerability in the Netty framework's Redis handler poses a significant risk of denial-of-service through resource exhaustion.

This vulnerability involves a permanent leak of pooled direct-memory buffers within the RedisArrayAggregator handler. The issue occurs when a Redis pipeline connection is closed before a RESP array aggregate completes, as the handler lacks the necessary cleanup methods to release retained child messages.

With a CVSS score of 7.5, this high-severity vulnerability presents a clear risk to service availability. Successful exploitation allows an unauthenticated attacker to induce memory exhaustion across the affected Netty process by repeatedly establishing and terminating connections, which can lead to service crashes or system-wide instability.

Immediate Action: Update the Netty framework to version 4.1.135.Final, 4.2.15.Final, or any subsequent secure release.

Proactive Monitoring: Monitor system memory usage and Netty channel allocation logs for anomalous spikes or sustained growth that may indicate memory pressure caused by connection churn.

Compensating Controls: Implement connection rate limiting at the network or application load balancer level to mitigate the ability of an attacker to perform the rapid connection/disconnection cycles required for exploitation.

Public Exploit Available: false

Given the potential for service disruption, administrators should prioritize patching the Netty framework. This vulnerability is particularly dangerous as it allows for resource exhaustion via standard network operations; applying the vendor-provided patches is the only definitive way to resolve the underlying memory leak.