CVE intelligence and bounded remediation
CVE-2026-45536 — Netty is a network application framework for development of protocol servers and clients
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
- Severity
- Medium
- CVSS
- 4 (3.1)
- Published
- 2026-06-12
- CISA KEV
- Not currently listed
- Ecosystem
- linux/kernel
- Weaknesses
- CWE-200, CWE-772
Affected products
- netty / netty
Matched remediation archetype
Information disclosure and sensitive data exposure
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace sensitive data through responses, errors, logs, metrics, traces, caches, exports, files, backups, and client bundles.
- Identify affected subjects, tenants, retention windows, access controls, and downstream copies without opening unnecessary sensitive records.
- Review metadata, timing, status, length, and existence signals as well as direct content disclosure.
Remediate safely
- Minimize collection and output, apply field-level authorization and redaction at a centralized boundary, and return generic external errors.
- Remove secrets and sensitive data from logs, artifacts, URLs, caches, and client-side bundles; rotate credentials that may have been exposed.
- Update the affected component and add synthetic-data tests for response, error, observability, and export paths.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.