Bug 2488394 (CVE-2026-45536)

Summary: CVE-2026-45536 netty-transport-native-epoll: netty-transport-native-kqueue: Netty: Denial of Service due to file descriptor leak in SCM_RIGHTS message handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, anthomas, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bbrownin, bmaxwell, boliveir, bstansbe, ccranfor, chfoley, cmah, dbruscin, dlofthou, drichtar, eaguilar, ebaron, ehelms, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, istudens, ivassile, iweiss, janstey, jkoehler, jnethert, jolong, jpechane, jraez, juwatts, jwon, kaycoth, kvanderr, lphiri, mcarlett, mhulan, mosmerov, mposolda, mstipich, msvehla, nmoumoul, nwallace, osousa, parichar, pcreech, pdelbell, pesilva, pjindal, pmackay, rchan, rexwhite, rgodfrey, rmartinc, rstancel, rstepani, sdawley, smallamp, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, thjenkin, tmalecek, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Netty, a network application framework. A local attacker could exploit a vulnerability in the `netty_unix_socket_recvFd` function when handling `SCM_RIGHTS` messages in `Epoll` or `KQueue DomainSocketChannel` with `DomainSocketReadMode.FILE_DESCRIPTORS` enabled. Incorrect handling of file descriptors could lead to a resource leak, resulting in a Denial of Service (DoS) due to exhaustion of available file descriptors.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-12 15:02:19 UTC 
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.