Skip to main content

Eclipse ThreadX NetX Duo CVE-2026-11576

| EUVDEUVD-2026-37999 HIGH
Double Free (CWE-415)
2026-06-19 eclipse
7.5
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Reachable over the network via HTTP PUT with no auth or user interaction; trigger is a simple malformed request, and impact is service crash with no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 10:00 vuln.today

DescriptionCVE.org

The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.

AnalysisAI

Denial of service in Eclipse ThreadX NetX Duo HTTP server arises from a flawed remediation of CVE-2025-0728, where the refactored shared cleanup label invokes fx_file_close() on an uninitialized file handle whenever an error occurs before file open. Remote attackers can reach the vulnerable PUT path over the network without authentication, triggering undefined behavior, double-close conditions, or memory corruption that can crash the embedded HTTP service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed NetX Duo HTTP server
Delivery
Send malformed HTTP PUT request
Exploit
Trigger early error branch before file open
Execution
Shared cleanup invokes fx_file_close on uninitialized handle
Persist
Memory corruption or double-close in FileX
Impact
HTTP service or device crashes (DoS)

Vulnerability AssessmentAI

Exploitation The target must be running the Eclipse ThreadX NetX Duo HTTP server with the PUT method handler enabled and with the CVE-2025-0728 remediation applied (the refactor that introduced the shared cleanup label); devices on a version predating that fix are not affected by this specific bug. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H, 7.5) frames this as a remote, unauthenticated availability bug with no confidentiality or integrity impact, which is consistent with a crash/memory-corruption sink reached from an HTTP error path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to an embedded device running Eclipse ThreadX NetX Duo's HTTP server sends a crafted HTTP PUT request shaped to trigger one of the early error branches (for example malformed headers, oversized URI, or filesystem-level rejection) before the server reaches the file-open step. Control flow falls through the shared cleanup label, fx_file_close() executes on an uninitialized FX_FILE structure, and the device's HTTP service or full network stack crashes; on memory-constrained MCUs this typically requires a reboot to recover and may corrupt adjacent heap state. …
Remediation No vendor-released patch version is identified at time of analysis in the provided data, so consult the Eclipse security advisory at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/123 and the eclipse-threadx/netxduo GitHub repository for the corrective commit that gates fx_file_close() on a successful prior fx_file_open(), then rebuild and reflash affected firmware once a tagged release is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory systems using Eclipse ThreadX NetX Duo HTTP server, document their operational criticality, and implement network access controls restricting PUT requests to trusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy