CVE-2026-50010 - Netty trust manager hostname verification bypass

CVE-2026-50010 affects Netty TLS clients that call SslContextBuilder.forClient().trustManager(somePlainX509TrustManager). Netty’s wrapping logic can convert a plain X509TrustManager into an X509ExtendedTrustManager in a way that prevents later hostname-verification wrapping, so clients silently skip HTTPS endpoint identification.

The risky shape is not every Netty install. It is custom TLS client code that supplies its own trust manager and assumes hostname verification still happens.

When to use it

  • A Java service resolves vulnerable io.netty:netty-handler and builds Netty TLS clients.
  • Client code uses SslContextBuilder.forClient().trustManager(...) with a custom or plain X509TrustManager.
  • mTLS, private PKI, service mesh, proxy, or SDK code may confuse certificate trust with hostname verification.
  • You need a bounded PR or triage note that upgrades Netty and proves endpoint identification still rejects hostname mismatches.

Inputs

  • Maven/Gradle manifests, lockfiles, BOMs, shaded/vendor artifacts, container files, SBOMs, and generated dependency reports.
  • Netty TLS client builders, trust-manager implementations, trust stores, endpoint-identification settings, and service endpoint inventory.
  • Available dependency resolution, TLS regression tests, unit/integration tests, build, image build, SBOM, and security scan commands.

Affected versions

  • Vulnerable: io.netty:netty-handler <= 4.1.134.Final and <= 4.2.14.Final
  • Fixed: 4.1.135.Final+ and 4.2.15.Final+
  • Exploit precondition: client code passes a plain X509TrustManager into Netty client TLS configuration

Indicator-of-exposure

  • The repository resolves vulnerable io.netty:netty-handler versions.
  • Code builds client TLS contexts with SslContextBuilder.forClient().
  • Custom trustManager(...) calls pass X509TrustManager instances instead of higher-level safe defaults.

Quick checks:

rg -n "SslContextBuilder\\.forClient\\(|trustManager\\(|X509TrustManager|X509ExtendedTrustManager|endpointIdentificationAlgorithm" .
./mvnw dependency:tree -Dincludes=io.netty:netty-handler
./gradlew dependencies --configuration runtimeClasspath

Do not verify by connecting to attacker-controlled TLS endpoints.

Remediation strategy

  • Upgrade io.netty:netty-handler to 4.1.135.Final+ or 4.2.15.Final+.
  • Audit custom TLS client builders that pass explicit trust managers.
  • Prefer safe default trust-manager handling or ensure endpoint identification remains enforced after the upgrade.
  • Add negative TLS tests that prove hostname mismatches are rejected.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-50010 / GHSA-c653-97m9-rcg9, a Netty TLS client
issue where wrapping a plain trust manager can silently disable hostname
verification. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Netty, audits custom trust
  manager usage, adds safe regression checks, and documents operator follow-up,
  or
- TRIAGE.md if this repository does not control an affected Netty client path.

## Rules

- Scope only CVE-2026-50010 and directly related Netty client TLS code.
- Treat certificates, trust stores, private keys, and service endpoints as
  sensitive.
- Do not test against attacker-controlled TLS infrastructure.
- Do not auto-merge.

## Steps

1. Inventory every Netty dependency, lockfile, and TLS client path controlled
   here.
2. Determine whether any resolved `netty-handler` version is vulnerable.
3. Search for custom `SslContextBuilder.forClient().trustManager(...)` usage.
4. If no controlled affected client path exists, stop with `TRIAGE.md`.
5. Upgrade `netty-handler` to a fixed version and refresh dependency artifacts.
6. Replace unsafe plain-trust-manager patterns with safe defaults or verify
   endpoint identification remains enforced.
7. Add safe regression tests that confirm hostname mismatches are rejected.
8. Add a PR body section named `CVE-2026-50010 operator actions` covering
   versions before and after, which client paths were audited, and what TLS
   regression checks were added.
9. Run relevant validation: dependency refresh, tests, TLS client regressions,
   linting, and dependency/security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-50010 in Netty TLS clients`.

## Stop conditions

- No affected Netty client code is controlled here.
- Validation would require probing attacker-controlled TLS endpoints.
- Client TLS policy is owned by another library or platform outside this repo.

Verification - what the reviewer looks for

  • No controlled install resolves vulnerable netty-handler releases.
  • Custom client TLS code still enforces hostname verification after the change.
  • Regression tests fail on hostname mismatch instead of trusting the endpoint.

Output contract

  • Reviewer-ready PR upgrading all controlled Netty handler artifacts to 4.1.135.Final+ or 4.2.15.Final+.
  • Audit evidence for custom forClient().trustManager(...) paths, shaded copies, and vendored Netty bundles.
  • Safe hostname-mismatch regression tests or equivalent TLS policy checks.
  • TRIAGE.md when TLS policy or the affected Netty client path is owned by another library/platform outside this repository.

Watch for

  • Upgrading dependencies but leaving shaded or vendored Netty copies.
  • Fixing the package while custom trust-manager code still suppresses endpoint checks elsewhere.
  • Mistaking certificate trust for hostname verification.

References