Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Netty, the Unix‑socket receive routine prepares a 24‑byte control buffer for passing file descriptors. When a peer sends a SCM_RIGHTS control message with two descriptors, the kernel correctly installs both descriptors. Netty then checks the message length for a single‑descriptor packet; this check fails and the code that would extract and close the descriptors is skipped. Consequently both descriptors remain open on the receiving side, leaking two file descriptors per message. The flaw represents an improper validation of message length (CWE‑167), a failure to release resources properly (CWE‑772), and an inadvertent information disclosure (CWE‑200). Though no code execution or privilege escalation is possible, repeated exploitation could lead to file‑descriptor exhaustion and availability problems.

Affected Systems

The vulnerability affects Netty releases 4.1.x through the last unpatched build prior to 4.1.135.Final and 4.2.x through the last unpatched build before 4.2.15.Final. It is reachable only when an application uses an Epoll or KQueue DomainSocketChannel and enables the non‑default DomainSocketReadMode.FILE_DESCRIPTORS mode, allowing a peer to send Unix domain socket messages that include file descriptors.

Risk and Exploitability

The CVSS score of 4.0 indicates low severity. The EPSS score of <1% and the absence from the CISA KEV catalog suggest that exploitation is currently rare. The likely attack vector is a local or far‑me setup where a malicious peer can connect to the application’s Unix domain socket and transmit a crafted SCM_RIGHTS message carrying two descriptors. Once processed, the application leaks the descriptors; repeated exploitation could exhaust the process’s descriptor table, causing denial of service. No remote code execution or privilege escalation is enabled through this flaw, but the risk is notable for long‑running services that do not monitor or limit file‑descriptor usage.

Generated by OpenCVE AI on June 15, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final, 4.2.15.Final, or newer
  • Disable or remove the FILE_DESCRIPTORS mode for DomainSocketChannel if it is not required
  • Set operating‑system file‑descriptor limits or monitor descriptor counts to detect and prevent exhaustion

Generated by OpenCVE AI on June 15, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w573-9ffj-6ff9 Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-167
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 15 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
Weaknesses CWE-200
CWE-772
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:05:36.411Z

Reserved: 2026-05-12T17:48:47.878Z

Link: CVE-2026-45536

cve-icon Vulnrichment

Updated: 2026-06-12T15:05:29.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T15:16:27.073

Modified: 2026-06-15T02:14:53.013

Link: CVE-2026-45536

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T14:12:48Z

Links: CVE-2026-45536 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-167

    Improper Handling of Additional Special Element

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-772

    Missing Release of Resource after Effective Lifetime