CVE-2026-45536
MediumCVSS 4.0Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
In versions prior to 4.1.135.Final and 4.2.15.Final of the Netty framework, there is a vulnerability related to improper handling of SCM_RIGHTS messages, leading to file descriptor leaks. Due to incorrect message length handling, two file descriptors may be installed in the receiving process but not closed.
Risk Assessment
Organizations may be exposed to resource leaks, which can lead to exhaustion of available file descriptors and potential performance issues for applications. Prolonged application operation may result in serious operational problems.
Recommendation
It is recommended to upgrade to versions 4.1.135.Final or 4.2.15.Final to mitigate this vulnerability. Additionally, monitor applications using DomainSocketReadMode.FILE_DESCRIPTORS for potential leaks.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.

