CVE-2026-45536
Undergoing Analysis Undergoing Analysis - In Progress
File Descriptor Leak in Netty via SCM_RIGHTS

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) β€” 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking β†’ EAGAIN β†’ Java maps to 0 β†’ read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-45536
EUVD
EUVD-2026-36439
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.2.15.Final (exc)
netty netty to 4.1.135.Final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45536 is a vulnerability in Netty's Unix socket file descriptor handling. The issue arises in the function netty_unix_socket_recvFd, which allocates a fixed 24-byte buffer for control messages. When a peer sends a SCM_RIGHTS control message containing two file descriptors, both fit exactly into this buffer without truncation. However, a length check in the code fails because it expects a smaller size, causing the function to skip reading and closing these file descriptors. As a result, the file descriptors are leaked.

This vulnerability is reachable when using Epoll/KQueue DomainSocketChannel with the DomainSocketReadMode.FILE_DESCRIPTORS option enabled, which is not the default. The issue affects Netty versions prior to 4.1.135.Final and 4.2.15.Final, where patches have been applied.

Impact Analysis

The vulnerability can lead to resource exhaustion due to leaked file descriptors. Each message containing two file descriptors causes two descriptors to be leaked and not closed properly. Over time, this can deplete system resources, potentially causing application instability or denial of service.

Detection Guidance

This vulnerability involves leaking file descriptors when a peer sends two file descriptors at once via Unix domain sockets using Netty's DomainSocketChannel with DomainSocketReadMode.FILE_DESCRIPTORS enabled.

Detection would involve monitoring for leaked file descriptors in the affected Netty application, especially when using Unix domain sockets.

While no specific commands are provided in the resources, typical detection steps could include:

  • Using tools like lsof or /proc filesystem to monitor open file descriptors of the Netty process over time to identify leaks.
  • Checking for unusually high numbers of open file descriptors related to Unix domain sockets.
  • Using strace or similar tools to trace recvmsg system calls and inspect control messages for SCM_RIGHTS usage.
Mitigation Strategies

The primary mitigation is to upgrade Netty to a patched version where this issue is fixed.

  • Upgrade to Netty version 4.1.135.Final or later.
  • Or upgrade to Netty version 4.2.15.Final or later.

Until upgrading, avoid using DomainSocketReadMode.FILE_DESCRIPTORS if possible, as the vulnerability is reachable only when this mode is enabled.

Compliance Impact

This vulnerability in Netty causes file descriptor leaks that primarily impact availability due to resource exhaustion. There is no indication that it affects confidentiality or integrity of data.

Since the vulnerability does not involve unauthorized access to or disclosure of personal or sensitive data, it does not directly impact compliance with standards like GDPR or HIPAA, which focus on protecting personal data privacy and security.

However, resource exhaustion leading to denial of service could indirectly affect availability requirements under some regulations, but this is a moderate severity issue with no direct data breach implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart