CVE-2026-45536

netty unix socket recvFd sets msg control to char control[CMSG SPACE(sizeof(int))] (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM RIGHTS cmsg carrying two ints has cmsg len = CMSG LEN(8) = 24, which fits exactly with no MSG CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check cmsg->cmsg len == CMSG LEN(sizeof(int)) (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE DESCRIPTORS (non-default).