PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42577 netty CVE debrief

## Summary Netty's epoll transport (versions 4.2.0.Final through 4.2.13.Final) fails to detect TCP RST packets on half-closed connections, causing stale channels to accumulate and, in certain code paths, triggering a 100% CPU busy-loop in the event loop thread. This denial-of-service condition requires no authentication and is remotely exploitable. ## Affected Versions - **Netty**: 4.2.0.Final to 4.2.13.Final (exclusive of patched version) - **Component**: epoll transport on Linux systems ## Root Cause When a TCP connection is half-closed (one side has sent FIN) and subsequently receives a RST packet, the epoll transport does not properly detect this condition. The channel remains registered in the selector without being cleaned up, leading to resource exhaustion and potential CPU spinning. ## Impact - **Availability**: HIGH — unbounded channel accumulation and CPU busy-loop can render services unresponsive - **Confidentiality/Integrity**: None - **Attack Vector**: Network-based, no privileges required ## Detection Guidance Monitor for: - Elevated CPU usage in Netty event loop threads (consistent 100% utilization on single cores) - Growing counts of open file descriptors or `Channel` instances that do not correlate with active connections - Unusual patterns of half-closed connections in application metrics ## Recommended Actions 1. **Upgrade immediately** to Netty 4.2.13.Final or later, which contains the fix 2. **If immediate patching is not feasible**: - Implement connection timeouts at the application layer - Monitor and alert on event loop thread CPU utilization - Consider temporarily disabling epoll transport and falling back to NIO on affected systems 3. **Verify fix deployment** by checking Netty version in dependency manifests and runtime classpath ## References - CVE Record: CVE.org official entry - NVD Entry: NIST National Vulnerability Database - Vendor Advisory: GitHub Security Advisory (GHSA-rwm7-x88c-3g2p) - Patch Commit: GitHub commit 0ec3d97fab376e243d328ac95fbd288ba0f6e22d - Pull Request: GitHub PR #16689 ## Timeline - **2026-05-13**: CVE published, vulnerability disclosed - **2026-05-18**: CVE record modified (

Vendor
netty
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-18
Advisory published
2026-05-13
Advisory updated
2026-05-18

Who should care

Organizations running Netty-based services on Linux with epoll transport enabled, particularly high-throughput or long-lived connection services such as proxies, gateways, and messaging infrastructure.

Technical summary

The epoll transport in Netty 4.2.0.Final through 4.2.13.Final mishandles TCP RST packets received after a connection is half-closed. This failure to detect connection termination prevents proper channel cleanup, resulting in stale channel accumulation. In specific code paths, this condition causes the event loop thread to enter a 100% CPU busy-loop. The vulnerability is fixed in version 4.2.13.Final.

Defensive priority

critical

Recommended defensive actions

  • Upgrade to Netty 4.2.13.Final or later
  • Implement application-layer connection timeouts as interim mitigation
  • Monitor event loop thread CPU utilization for signs of exploitation
  • Verify Netty version in production deployments

Evidence notes

Root cause and impact derived from NVD CPE criteria and GitHub Security Advisory metadata. Patch availability confirmed via referenced commit and pull request.

Official resources

public