PatchSiren cyber security CVE debrief
CVE-2026-45536 netty CVE debrief
CVE-2026-45536 is a MEDIUM severity vulnerability in Netty, a network application framework. The vulnerability occurs in the netty_unix_socket_recvFd function, where a peer-sent SCM_RIGHTS cmsg carrying two ints can cause a file descriptor leak. This happens when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default) via Epoll/KQueue DomainSocketChannel. The issue is patched in versions 4.1.135.Final and 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final who utilize Epoll/KQueue DomainSocketChannel with DomainSocketReadMode.FILE_DESCRIPTORS enabled.
Technical summary
The netty_unix_socket_recvFd function sets msg_control to a buffer of size 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has a length that fits exactly in this buffer, causing the kernel to install both fds in the receiving process. However, the subsequent check for cmsg_len fails, skipping the branch that would read the fd, and neither installed fd is closed. This results in two leaked fds per message.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Avoid using DomainSocketReadMode.FILE_DESCRIPTORS with Epoll/KQueue DomainSocketChannel if possible.
Evidence notes
The vulnerability is reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS. Versions 4.1.135.Final and 4.2.15.Final patch the issue. [ref-4], [ref-5], [ref-6]
Official resources
CVE-2026-45536 was published on 2026-06-12T15:16:27.073Z and modified on 2026-06-12T15:55:06.377Z.