Description
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty versions 4.2.0.Final through 4.2.13.Final contain a flaw in the epoll transport that fails to detect and close TCP connections that receive a RST after being half‐closed. The result is that stale channels remain open for ever, and in some code paths the event loop thread enters a 100 % CPU busy‐loop, leading to a denial of service. The weakness is classified as CWE‑772, improper cleanup of resources.

Affected Systems

The affected product is Netty from the vendor Netty. Any deployment using Netty 4.2.0.Final up to and including 4.2.13.Final suffers from this flaw; versions 4.2.13.Final and later are patched.

Risk and Exploitability

This vulnerability has a CVSS score of 7.5, indicating high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, so there is no known active exploitation at this time. However, the attack vector is remote: an adversary can trigger the issue by sending a TCP RST on a half‑closed connection, which is a feasible action for an external attacker, and once triggered it can consume all CPU resources of the affected event loop thread, effectively shutting down the application. The risk remains significant until the software is updated.

Generated by OpenCVE AI on May 13, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.2.13.Final or later.
  • Restart the Netty service to clear any stale channels after the upgrade.
  • Continuously monitor CPU usage and network activity to detect any sudden spikes that could indicate an exploitation attempt.

Generated by OpenCVE AI on May 13, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rwm7-x88c-3g2p Netty epoll transport denial of service via RST on half-closed TCP connection
History

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.
Title Netty: epoll transport denial of service via RST on half-closed TCP connection
Weaknesses CWE-772
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:39:44.314Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42577

cve-icon Vulnrichment

Updated: 2026-05-14T15:39:40.715Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:23.063

Modified: 2026-05-18T14:05:07.130

Link: CVE-2026-42577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T21:45:04Z

Weaknesses