Network Application Framework Vulnerability in Netty by TProger
CVE-2026-50010
7.5HIGH
What is CVE-2026-50010?
The vulnerability in the Netty framework arises from its handling of X509TrustManager. The method SimpleTrustManagerFactory.engineGetTrustManagers() improperly wraps user-supplied plain X509TrustManager instances, which leads to the potential for hostname verification bypasses. Thus, clients created with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager) may omit critical hostname verification, despite default settings aiming to enforce it. This limitation is rectified in versions 4.1.135.Final and 4.2.15.Final.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final < 4.2.0.Final, 4.2.15.Final
netty < 4.1.135.Final < 4.1.135.Final
