CVE-2026-42577

Source
https://cve.org/CVERecord?id=CVE-2026-42577
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42577.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-42577
Aliases
Downstream
Related
Published
2026-05-13T18:00:28.744Z
Modified
2026-06-18T12:38:42.956175Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Netty: epoll transport denial of service via RST on half-closed TCP connection
Details

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42577.json",
    "cwe_ids": [
        "CWE-772"
    ]
}
References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type
GIT
Repo
https://github.com/netty/netty
Events
Database specific
{
    "cpe": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.13"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

netty-4.*
netty-4.2.0.Final
netty-4.2.1.Final
netty-4.2.10.Final
netty-4.2.11.Final
netty-4.2.12.Final
netty-4.2.2.Final
netty-4.2.3.Final
netty-4.2.4.Final
netty-4.2.5.Final
netty-4.2.6.Final
netty-4.2.7.Final
netty-4.2.8.Final
netty-4.2.9.Final

Database specific

vanir_signatures
[
    {
        "id": "CVE-2026-42577-6bdc54e8",
        "source": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d",
        "signature_type": "Line",
        "target": {
            "file": "transport-classes-epoll/src/main/java/io/netty/channel/epoll/EpollIoHandler.java"
        },
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "267687718868993077253856388736849719097",
                "188992194459613138613784690627518847917",
                "200474078071907984831406521905452230612",
                "78395304424485402914583387299202286859",
                "325754103854524720337919068456232375543",
                "98222878299760390389406767777718182693",
                "147764426977996594536933008960073059842"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2026-42577-ad263d6b",
        "source": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d",
        "signature_type": "Line",
        "target": {
            "file": "transport-classes-epoll/src/main/java/io/netty/channel/epoll/EpollIoOps.java"
        },
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "79540637913892001781854564469934915541",
                "304133242599967490774878790155770157107",
                "174349633445048955796182712445559282905",
                "86546533206779746400273126350161981654",
                "223162066409148940437041859720531888015",
                "170079930641027186119479725412528554761",
                "216885489603780539550980223198002647413"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2026-42577-be98dc0e",
        "source": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d",
        "signature_type": "Function",
        "target": {
            "file": "transport-classes-epoll/src/main/java/io/netty/channel/epoll/EpollIoHandler.java",
            "function": "submit"
        },
        "signature_version": "v1",
        "digest": {
            "function_hash": "236417920159356120085712229034849364357",
            "length": 527.0
        },
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42577.json"
vanir_signatures_modified
"2026-06-18T12:38:42Z"