CVE-2026-50010 - Netty trust manager hostname verification bypass
CVE-2026-50010 affects Netty TLS clients that call
SslContextBuilder.forClient().trustManager(somePlainX509TrustManager).
Netty’s wrapping logic can convert a plain X509TrustManager into an
X509ExtendedTrustManager in a way that prevents later hostname-verification
wrapping, so clients silently skip HTTPS endpoint identification.
The risky shape is not every Netty install. It is custom TLS client code that supplies its own trust manager and assumes hostname verification still happens.
When to use it
- A Java service resolves vulnerable
io.netty:netty-handlerand builds Netty TLS clients. - Client code uses
SslContextBuilder.forClient().trustManager(...)with a custom or plainX509TrustManager. - mTLS, private PKI, service mesh, proxy, or SDK code may confuse certificate trust with hostname verification.
- You need a bounded PR or triage note that upgrades Netty and proves endpoint identification still rejects hostname mismatches.
Inputs
- Maven/Gradle manifests, lockfiles, BOMs, shaded/vendor artifacts, container files, SBOMs, and generated dependency reports.
- Netty TLS client builders, trust-manager implementations, trust stores, endpoint-identification settings, and service endpoint inventory.
- Available dependency resolution, TLS regression tests, unit/integration tests, build, image build, SBOM, and security scan commands.
Affected versions
- Vulnerable:
io.netty:netty-handler <= 4.1.134.Finaland<= 4.2.14.Final - Fixed:
4.1.135.Final+and4.2.15.Final+ - Exploit precondition: client code passes a plain
X509TrustManagerinto Netty client TLS configuration
Indicator-of-exposure
- The repository resolves vulnerable
io.netty:netty-handlerversions. - Code builds client TLS contexts with
SslContextBuilder.forClient(). - Custom
trustManager(...)calls passX509TrustManagerinstances instead of higher-level safe defaults.
Quick checks:
rg -n "SslContextBuilder\\.forClient\\(|trustManager\\(|X509TrustManager|X509ExtendedTrustManager|endpointIdentificationAlgorithm" .
./mvnw dependency:tree -Dincludes=io.netty:netty-handler
./gradlew dependencies --configuration runtimeClasspath
Do not verify by connecting to attacker-controlled TLS endpoints.
Remediation strategy
- Upgrade
io.netty:netty-handlerto4.1.135.Final+or4.2.15.Final+. - Audit custom TLS client builders that pass explicit trust managers.
- Prefer safe default trust-manager handling or ensure endpoint identification remains enforced after the upgrade.
- Add negative TLS tests that prove hostname mismatches are rejected.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-50010 / GHSA-c653-97m9-rcg9, a Netty TLS client
issue where wrapping a plain trust manager can silently disable hostname
verification. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Netty, audits custom trust
manager usage, adds safe regression checks, and documents operator follow-up,
or
- TRIAGE.md if this repository does not control an affected Netty client path.
## Rules
- Scope only CVE-2026-50010 and directly related Netty client TLS code.
- Treat certificates, trust stores, private keys, and service endpoints as
sensitive.
- Do not test against attacker-controlled TLS infrastructure.
- Do not auto-merge.
## Steps
1. Inventory every Netty dependency, lockfile, and TLS client path controlled
here.
2. Determine whether any resolved `netty-handler` version is vulnerable.
3. Search for custom `SslContextBuilder.forClient().trustManager(...)` usage.
4. If no controlled affected client path exists, stop with `TRIAGE.md`.
5. Upgrade `netty-handler` to a fixed version and refresh dependency artifacts.
6. Replace unsafe plain-trust-manager patterns with safe defaults or verify
endpoint identification remains enforced.
7. Add safe regression tests that confirm hostname mismatches are rejected.
8. Add a PR body section named `CVE-2026-50010 operator actions` covering
versions before and after, which client paths were audited, and what TLS
regression checks were added.
9. Run relevant validation: dependency refresh, tests, TLS client regressions,
linting, and dependency/security scans.
10. Use PR title:
`fix(sec): remediate CVE-2026-50010 in Netty TLS clients`.
## Stop conditions
- No affected Netty client code is controlled here.
- Validation would require probing attacker-controlled TLS endpoints.
- Client TLS policy is owned by another library or platform outside this repo.
Verification - what the reviewer looks for
- No controlled install resolves vulnerable
netty-handlerreleases. - Custom client TLS code still enforces hostname verification after the change.
- Regression tests fail on hostname mismatch instead of trusting the endpoint.
Output contract
- Reviewer-ready PR upgrading all controlled Netty handler artifacts to
4.1.135.Final+or4.2.15.Final+. - Audit evidence for custom
forClient().trustManager(...)paths, shaded copies, and vendored Netty bundles. - Safe hostname-mismatch regression tests or equivalent TLS policy checks.
TRIAGE.mdwhen TLS policy or the affected Netty client path is owned by another library/platform outside this repository.
Watch for
- Upgrading dependencies but leaving shaded or vendored Netty copies.
- Fixing the package while custom trust-manager code still suppresses endpoint checks elsewhere.
- Mistaking certificate trust for hostname verification.
Related recipes
- CVE-2026-48069 grpc-js compressed message crash
- Vulnerable dependency remediation
- CVE intelligence intake gate
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-c653-97m9-rcg9
- Netty vendor advisory: https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-50010