Skip to main content

Netty Unix Socket CVE-2026-45536

| EUVDEUVD-2026-36439 MEDIUM
Information Exposure (CWE-200)
2026-06-08 https://github.com/netty/netty GHSA-w573-9ffj-6ff9
4.0
CVSS 3.1 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
4.0 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 23:31 vuln.today
Analysis Generated
Jun 08, 2026 - 23:31 vuln.today
CVE Published
Jun 08, 2026 - 23:01 nvd
MEDIUM 4.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 182 maven packages depend on io.netty:netty-transport-native-epoll (21 direct, 161 indirect)
  • 118 maven packages depend on io.netty:netty-transport-native-kqueue (15 direct, 103 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final and other introduced versions.

DescriptionCVE.org

netty_unix_socket_recvFd sets msg_control to char control[CMSG_SPACE(sizeof(int))] (line 940) - 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check cmsg->cmsg_len == CMSG_LEN(sizeof(int)) (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default).

AnalysisAI

File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.

Technical ContextAI

The vulnerability resides in the native C function netty_unix_socket_recvFd within Netty's JNI transport modules: io.netty:netty-transport-native-epoll (Linux/epoll) and io.netty:netty-transport-native-kqueue (BSD/macOS). At line 940, the control buffer is allocated as CMSG_SPACE(sizeof(int)) = 24 bytes - sized for exactly one file descriptor. When a peer sends an SCM_RIGHTS ancillary message containing two integers (two FDs), the resulting cmsg_len is CMSG_LEN(8) = 24 bytes, which fits exactly in the 24-byte buffer. Because the buffer is not overflowed, the kernel does not set MSG_CTRUNC, and both peer-supplied FDs are silently installed into the receiving process's file descriptor table. The validation at line 972 checks cmsg->cmsg_len == CMSG_LEN(sizeof(int)) (expected value: 20), which fails for the two-FD message (actual: 24), so the fd-reading branch is skipped. Critically, neither installed FD is closed. The for(;;) loop then calls recvmsg again on the non-blocking socket, receives EAGAIN, which the Java layer maps to 0 and treats as normal loop exit - leaving two untracked, unclosed file descriptors per message. There is no MSG_CTRUNC handling in the code path. While NVD assigns CWE-200 (Information Exposure), the primary mechanism is more precisely CWE-775 (Missing Release of File Descriptor or Handle after Effective Lifetime); the CWE-200 classification may reflect that the peer's file descriptors are installed into the process without authorization.

RemediationAI

Upgrade to io.netty:netty-transport-native-epoll or io.netty:netty-transport-native-kqueue version 4.1.135.Final (for 4.1.x users) or 4.2.15.Final (for 4.2.x users); these are confirmed fixed releases per the Netty project's GHSA-w573-9ffj-6ff9 advisory and official release notes at https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final. For applications that cannot immediately upgrade, the most effective compensating control is to avoid enabling DomainSocketReadMode.FILE_DESCRIPTORS - reverting the channel to its default read mode entirely removes the vulnerable code path, with no trade-off unless the application specifically requires Unix FD-passing semantics. Applications that must retain FILE_DESCRIPTORS mode should monitor for FD exhaustion by tracking /proc/self/fd count or configuring ulimit alerts, and should restrict Unix socket access via filesystem permissions (chmod/chown on the socket file) to the minimum required set of local peers. Rate-limiting connections or messages on the socket can slow leak accumulation but does not eliminate it.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-45536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy