Listen to this Post
CVE‑2026‑45536 – Missing Release of Resource after Effective Lifetime (CWE‑772)
The vulnerability resides in Netty’s native Unix socket helper function netty_unix_socket_recvFd, which is used to receive file descriptors over a Unix domain socket when the application has enabled the non‑default DomainSocketReadMode.FILE_DESCRIPTORS.
In the vulnerable code, the function allocates a control message buffer as char control[CMSG_SPACE(sizeof(int))]. On a 64‑bit Linux system, `CMSG_SPACE(sizeof(int))` expands to 24 bytes. This buffer is intended to hold a `SCM_RIGHTS` control message that transports exactly one file descriptor.
When a peer sends a `SCM_RIGHTS` control message that carries two file descriptors, the kernel calculates its total length as cmsg_len = CMSG_LEN(8) = 24. Because the buffer is exactly 24 bytes, the kernel does not set the `MSG_CTRUNC` flag – it installs both file descriptors into the receiving process, unaware that the application‑sized buffer is insufficient to process two FDs.
After `recvmsg()` returns, the function inspects the control message:
if (cmsg->cmsg_len == CMSG_LEN(sizeof(int)))
Here `CMSG_LEN(sizeof(int))` expands to 20 bytes (the `cmsghdr` plus the payload for a single int). The message from the peer has cmsg_len = 24, so the equality check fails. The code branch that would extract and close the received file descriptors is skipped.
The outer `for(;;)` loop calls `recvmsg()` again. Because the socket is non‑blocking, the next call returns EAGAIN, which Netty maps to a zero‑byte read, and the read loop exits normally.
No code path ever closes the two file descriptors that the kernel already installed. Both descriptors are leaked for each such message that is received. There is no handling of `MSG_CTRUNC` and no fallback to parse a variable‑sized `SCM_RIGHTS` message.
Reachability: The issue is triggered only when the application explicitly opts into `DomainSocketReadMode.FILE_DESCRIPTORS` on an `EpollDomainSocketChannel` or `KQueueDomainSocketChannel` – a non‑default configuration. All other configurations are unaffected.
DailyCVE Form:
Platform: Netty native transports
Version: 4.2.0‑4.2.14 / 4.1.0‑4.1.134
Vulnerability : Missing resource release
Severity: Moderate
Date: 2026‑06‑08
Prediction: 2026‑06‑02
What Undercode Say
Check your Netty version:
For Maven projects mvn dependency:tree | grep netty For Gradle gradle dependencies | grep netty Direct JAR inspection unzip -p netty-common-4.1.134.Final.jar META-INF/MANIFEST.MF | grep Implementation-Version
Test whether your application is vulnerable (simplified PoC):
// Enable the vulnerable mode
DomainSocketChannel ch = ...;
ch.config().setReadMode(DomainSocketReadMode.FILE_DESCRIPTORS);
// Peer sends SCM_RIGHTS with two FDs
int[] fds = { fd1, fd2 };
byte[] buf = new byte[bash];
sendmsg(unixSocket, buf, buf.length, fds);
// On receiver side – after read, leaked FDs are never closed
// `lsof -p <pid> | wc -l` will show a growing descriptor count
Exploit
An attacker who can send a crafted `SCM_RIGHTS` control message over a Unix domain socket to a Netty‑based service (with `FILE_DESCRIPTORS` mode enabled) will cause the kernel to install two file descriptors per message without the application ever closing them. Repeated exploitation exhausts the process’s file descriptor limit, leading to denial of service. A single attacker can send thousands of such messages, quickly depleting the descriptor pool and preventing the service from accepting new connections or performing any I/O.
Protection
- Upgrade to Netty 4.2.15.Final or 4.1.135.Final (or later).
- Mitigate by avoiding `DomainSocketReadMode.FILE_DESCRIPTORS` unless absolutely necessary.
- If upgrade is impossible, backport the patch that introduces proper `MSG_CTRUNC` handling and variable‑length `SCM_RIGHTS` parsing.
Impact
- Availability: High. Unchecked file descriptor exhaustion leads to denial of service.
- Confidentiality / Integrity: None. The vulnerability does not expose or corrupt data.
- Attack complexity: Low. An attacker only needs to send a well‑formed Unix domain socket message.
- Privileges required: None (remote attacker).
- User interaction: None.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
