CVE-2026-42577
HIGH EPSS 32.6%
Published May 13, 20261mo ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
Published May 13, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago
Description
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
32.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-772
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| netty | netty | * | ≥4.2.0 – <4.2.13 |
References 3
- github.com https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d
- github.com https://github.com/netty/netty/pull/16689
- github.com https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p
Remediation
- github.com https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d
- github.com https://github.com/netty/netty/pull/16689