High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-42577

Description

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.

Affected products

Netty/NettyGHSA
Range: < 4.2.13.Final

Patches

0ec3d97fab37

Epoll: Correctly delete fd from epoll if there is nothing to handle (#16689)

https://github.com/netty/nettyNorman MaurerApr 25, 2026via ghsa

commit

2 files changed · +20 −1

transport-classes-epoll/src/main/java/io/netty/channel/epoll/EpollIoHandler.java+12 −0 modified

@@ -261,9 +261,21 @@ public long submit(IoOps ops) {
                         case Cancelled:
                             return -1;
                         case Pending:
+                            if (epollIoOps.value == EpollIoOps.NONE.value) {
+                                // 0 is a special value that basically means we should remove the registration.
+                                // As we did not add the fd yet we should just return.
+                                return 0;
+                            }
                             Native.epollCtlAdd(epollFd.intValue(), handle.fd().intValue(), epollIoOps.value);
                             state = RegistrationState.Added;
+                            return epollIoOps.value;
                         case Added:
+                            if (epollIoOps.value == EpollIoOps.NONE.value) {
+                                // 0 means there is nothing to handle anymore, unregister the fd as otherwise
+                                // we might get notified forever because of EPOLLHUP / EPOLLERR.
+                                Native.epollCtlDel(epollFd.intValue(), handle.fd().intValue());
+                                return 0;
+                            }
                             Native.epollCtlMod(epollFd.intValue(), handle.fd().intValue(), epollIoOps.value);
                             return epollIoOps.value;
                         default:

transport-classes-epoll/src/main/java/io/netty/channel/epoll/EpollIoOps.java+8 −1 modified

@@ -51,6 +51,12 @@ public final class EpollIoOps implements IoOps {
 
     public static final EpollIoOps EPOLLET = new EpollIoOps(Native.EPOLLET);
 
+    /**
+     * Special {@link EpollIoOps} which basically means we are not interested in any event and so should remove the
+     * fd from underlying epoll fd.
+     */
+    public static final EpollIoOps NONE = new EpollIoOps(0);
+
     static final int EPOLL_ERR_OUT_MASK = EpollIoOps.EPOLLERR.value | EpollIoOps.EPOLLOUT.value;
     static final int EPOLL_ERR_IN_MASK = EpollIoOps.EPOLLERR.value | EpollIoOps.EPOLLIN.value;
     static final int EPOLL_RDHUP_MASK = EpollIoOps.EPOLLRDHUP.value;
@@ -60,7 +66,8 @@ public final class EpollIoOps implements IoOps {
 
     static {
         EpollIoOps all = new EpollIoOps(EPOLLOUT.value | EPOLLIN.value | EPOLLERR.value | EPOLLRDHUP.value);
-        EVENTS = new EpollIoEvent[all.value + 1];
+        EVENTS = new EpollIoEvent[all.value + 2];
+        addToArray(EVENTS, NONE);
         addToArray(EVENTS, EPOLLOUT);
         addToArray(EVENTS, EPOLLIN);
         addToArray(EVENTS, EPOLLERR);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000