7.5
CVE-2026-11576
- EPSS 0.26%
- Veröffentlicht 19.06.2026 08:27:59
- Zuletzt bearbeitet 02.07.2026 20:04:25
- Quelle emo@eclipse.org
- CVE-Watchlists
- Unerledigt
The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Eclipse ≫ Threadx Netx Duo Version >= 6.4.2 <= 6.5.0.202601
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.174 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| emo@eclipse.org | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-415 Double Free
The product calls free() twice on the same memory address.
CWE-459 Incomplete Cleanup
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
CWE-908 Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
https://gitlab.eclipse.org/security/cve-assignment/-/work_items/123