Cyber Resilience

CVE-2026-42577

High

Published: 13 May 2026

Published
13 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42577 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Netty Netty. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and,…

more

in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The resource leak (CWE-772) in Netty epoll transport directly enables an adversary to trigger application-level DoS via CPU exhaustion (busy-loop) by sending crafted RST packets on half-closed connections.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42582Same product: Netty Netty
CVE-2026-42583Same product: Netty Netty
CVE-2026-42587Same product: Netty Netty
CVE-2026-33871Same product: Netty Netty
CVE-2026-42584Same product: Netty Netty
CVE-2026-33870Same product: Netty Netty
CVE-2026-42579Same product: Netty Netty
CVE-2025-24970Same product: Netty Netty
CVE-2025-22891Shared CWE-772
CVE-2025-30256Shared CWE-772

Affected Assets

netty
netty
4.2.0 — 4.2.13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-772

Ensures network resources are released once the session ends or becomes inactive, closing the window for missing-release weaknesses.

References