CVE-2026-11576

CVE-2026-11576 is a high-severity vulnerability in Eclipse Threadx Netx Duo with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-459.

Key facts

Description

The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.

Frequently asked questions

What is CVE-2026-11576?
The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.
How severe is CVE-2026-11576?
CVE-2026-11576 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2026-11576 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (18th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-11576?
CVE-2026-11576 affects Eclipse Threadx Netx Duo. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-11576?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-11576 have an EU (EUVD) identifier?
Yes. CVE-2026-11576 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37999.
When was CVE-2026-11576 published?
CVE-2026-11576 was published on 2026-06-19 and last updated on 2026-07-02.

References

Affected products (1)

More vulnerabilities in Eclipse Threadx Netx Duo

All CVEs affecting Eclipse Threadx Netx Duo →

Other CWE-459 vulnerabilities

Browse all CWE-459 vulnerabilities →