Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Netty's Unix‑socket receive function causes a file‑descriptor leak when a peer sends two SCM_RIGHTS control messages at once. The kernel installs both descriptors, but Netty’s length check fails and the branch that would extract and close the descriptors is skipped, leaving two leaked file‑descriptors per message. The leak violates hard‑coded resource‑release expectations (CWE‑772) and presents an inadvertent information exposure that can be abused by a malicious peer to gain access to files or devices the descriptors refer to (CWE‑200).

Affected Systems

Netty, the open‑source network application framework, is affected in all 4.1.x releases prior to 4.1.135.Final and in all 4.2.x releases prior to 4.2.15.Final. The flaw is only reachable when the application enables the DomainSocketReadMode.FILE_DESCRIPTORS mode on an Epoll or KQueue DomainSocketChannel and accepts Unix domain socket connections from a peer that can send SCM_RIGHTS messages.

Risk and Exploitability

The CVSS score of 4.0 indicates low severity. The EPSS is less than 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploit activity to date. The attack requires a far‑me or local protocol where a malicious peer can connect to the application’s Unix domain socket and send a crafted SCM_RIGHTS message carrying two descriptors. Once the message is processed, the application leaks the descriptors; repeated exploitation could lead to a file‑descriptor exhaustion denial‑of‑service. No privilege escalation or remote code execution is enabled through this flaw, but the risk is notable for long‑running services that do not protect or monitor descriptor counts.

Generated by OpenCVE AI on June 12, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final, 4.2.15.Final, or newer
  • Disable or remove the FILE_DESCRIPTORS mode for DomainSocketChannel if it is not required by the application
  • Deploy resource‑limit monitoring to alert on abnormal file‑descriptor counts and enforce a hard cap to mitigate potential FD exhaustion

Generated by OpenCVE AI on June 12, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w573-9ffj-6ff9 Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
Weaknesses CWE-200
CWE-772
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:05:36.411Z

Reserved: 2026-05-12T17:48:47.878Z

Link: CVE-2026-45536

cve-icon Vulnrichment

Updated: 2026-06-12T15:05:29.688Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T15:16:27.073

Modified: 2026-06-12T15:55:06.377

Link: CVE-2026-45536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:13Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-772

    Missing Release of Resource after Effective Lifetime