CVE-2026-50010
HIGH 7.5Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.3%chance of exploitation in 30 days · 19th percentile
Impact if exploited
7.5CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityNone
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Netty Red Hat Build Of Apache Camel 3.33 For Quarkus 3.33.2.Sp1 Red Hat Offline Knowledge Portal 1.2.6 Red Hat Build Of Quarkus 3.27.4.Sp1 Red Hat Build Of Quarkus 3.33.2.Sp1 Cryostat 4 Openshift Serverless Red Hat Amq Broker 7
Weakness (CWE)
- CWE-347
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
Advisories
Technical & other
- https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
- https://access.redhat.com/security/cve/CVE-2026-50010
- https://bugzilla.redhat.com/show_bug.cgi?id=2488429
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50010.json