CVE-2026-42577
Published: 13 May 2026
Summary
CVE-2026-42577 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Netty Netty. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30120
Vulnerability details
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and,…
more
in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The resource leak (CWE-772) in Netty epoll transport directly enables an adversary to trigger application-level DoS via CPU exhaustion (busy-loop) by sending crafted RST packets on half-closed connections.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures network resources are released once the session ends or becomes inactive, closing the window for missing-release weaknesses.