Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty versions prior to 4.1.135.Final and 4.2.15.Final wrap any user‑supplied plain X509TrustManager inside an X509TrustManagerWrapper that ignores the SSLEngine parameter. Because the wrapper implements X509ExtendedTrustManager but does not perform hostname verification, Netty's default endpoint‑identification algorithm is never applied. Consequently a client that calls SslContextBuilder.forClient().trustManager(somePlainX509TrustManager) will complete TLS handshakes without checking the server's hostname, allowing attackers to present fraudulent certificates and perform man‑in‑the‑middle attacks.

Affected Systems

The vulnerability affects the Netty framework (netty:netty). All releases prior to 4.1.135.Final and 4.2.15.Final are impacted. The patched versions are 4.1.135.Final and 4.2.15.Final, which restore proper hostname verification by wrapping the supplied trust manager correctly. Any application using older Netty versions, regardless of the Java runtime, is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity and confirms that the flaw can be leveraged to compromise authentication and confidentiality. The EPSS score below 1% indicates that exploitation is not yet widespread, and the vulnerability is not listed in CISA KEV. However, the impact is far‑reaching because the defect is triggered by any client that supplies a plain trust manager through the Netty builder. An attacker can pose as a legitimate server if the client code does not enforce additional verification. The risk is therefore significant for any deployment that relies on Netty for TLS connections.

Generated by OpenCVE AI on June 12, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.1.135.Final or 4.2.15.Final, which include the necessary hostname verification logic.
  • If an immediate upgrade is not possible, replace any custom trust manager usage with Netty's default trust manager or explicitly enable endpoint identification by configuring the 'endpointIdentificationAlgorithm' property on the SSL context.
  • Review the application code to ensure that no plain X509TrustManager is wrapped without proper hostname checking and verify that all client SSL contexts enforce hostname verification before establishing a connection.

Generated by OpenCVE AI on June 12, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty's wrapping plain trust manager silently disables hostname verification
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:39:07.045Z

Reserved: 2026-06-02T22:46:02.578Z

Link: CVE-2026-50010

cve-icon Vulnrichment

Updated: 2026-06-12T16:39:00.710Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:31.180

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-50010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature