CVE-2026-11576
eclipse-threadx NetX Duo HTTP Server fx_file_close Uninitialized Handle Vulnerability
Description
The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.
INFO
Published Date :
June 19, 2026, 8:27 a.m.
Last Modified :
June 19, 2026, 8:27 a.m.
Remotely Exploit :
Yes !
Source :
eclipse
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | e51fbebd-6053-4e49-959f-1b94eeb69a2c | ||||
| CVSS 3.1 | HIGH | MITRE-CVE | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update eclipse-threadx NetX Duo to the latest version.
- Apply the security patch for CVE-2025-0728.
- Review and test error handling logic in HTTP server PUT.
- Ensure proper file handle initialization and closing.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-11576 vulnerability anywhere in the article.