Netty CVE-2026-42577: Stale Connections Lead to 100% CPU Busy-Loops
The National Vulnerability Database has detailed CVE-2026-42577, a high-severity vulnerability (CVSS 7.5) affecting Netty, an asynchronous network application framework. Specifically, Netty’s epoll transport, in versions 4.2.0.Final through 4.2.13.Final, fails to properly detect and close TCP connections that receive a RST (reset) flag after being half-closed. This critical flaw allows for the accumulation of stale channels that are never cleaned up.
The direct consequence of this improper handling is a denial-of-service condition. In certain code paths, the vulnerability can lead to a 100% CPU busy-loop within the event loop thread. For applications relying on Netty for network communication, this translates to significant performance degradation or complete service unavailability, making the application unresponsive to legitimate requests.
This vulnerability, categorized as CWE-772 (Improper Cleanup of Leftover Data), underscores the importance of robust connection state management. The National Vulnerability Database confirms that the issue is resolved in Netty version 4.2.13.Final. Defenders must prioritize patching to mitigate the risk of resource exhaustion and ensure application stability.
What This Means For You
- If your organization uses Netty in its applications, you must immediately audit your dependency versions. Any service running Netty versions from 4.2.0.Final to 4.2.13.Final is susceptible to a denial-of-service attack via resource exhaustion. Prioritize upgrading to Netty 4.2.13.Final or later to address CVE-2026-42577 and prevent your applications from being crippled by a busy-loop.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Netty CVE-2026-42577 Stale Connection CPU Busy-Loop
title: Netty CVE-2026-42577 Stale Connection CPU Busy-Loop
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of Netty CVE-2026-42577 by identifying Netty processes that are receiving RST packets, which can lead to a 100% CPU busy-loop due to stale connections not being properly closed.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42577/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
Image|contains:
- 'netty'
cs-uri-query|contains:
- 'RST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42577 | DoS | Netty versions 4.2.0.Final to 4.2.13.Final |
| CVE-2026-42577 | DoS | Netty epoll transport failure to detect and close TCP connections after RST on half-closed connections |
| CVE-2026-42577 | DoS | Stale channels leading to 100% CPU busy-loop in event loop thread |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key
CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...
CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info
CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...
Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk
CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...