Description
The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.
Published: 2026-06-19
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HTTP server PUT handler in Eclipse ThreadX NetX Duo incorrectly uses a shared cleanup path that unconditionally calls fx_file_close() even when no file has been successfully opened, resulting in an uninitialized file handle being closed. This undefined behavior can cause double‑close errors or memory corruption, potentially leading to crashes or exploitable conditions.

Affected Systems

The vulnerability affects the Eclipse ThreadX NetX Duo product from the Eclipse Foundation. No specific affected version range is listed in the available data.

Risk and Exploitability

With a CVSS score of 7.5, the issue presents high severity. The EPSS score is not available, and it is not listed in CISA KEV. The likely attack vector is remote, exploiting the HTTP PUT endpoint to trigger the faulty cleanup path; the impact would be memory corruption in the server process.

Generated by OpenCVE AI on June 19, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or software update from Eclipse that fixes the file‑handle cleanup logic.
  • Disable or restrict the HTTP PUT method on the server if it is not required for normal operation.
  • Monitor server logs for anomalous file‑close events and enforce network controls to limit access to trusted hosts.

Generated by OpenCVE AI on June 19, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Uninitialized File Handle Closure in Eclipse ThreadX NetX Duo HTTP Server

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.
Weaknesses CWE-415
CWE-459
CWE-908
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-06-19T08:27:59.652Z

Reserved: 2026-06-08T11:16:50.888Z

Link: CVE-2026-11576

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T10:30:15Z

Weaknesses