CVE-2026-11576

CVE-2026-11576 PUBLISHED

Assigner: eclipse
Reserved: 08.06.2026 Published: 19.06.2026 Updated: 19.06.2026

The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Eclipse Foundation
Product	Eclipse ThreadX - NetX Duo
Versions	Default: unaffected affected from 6.4.2 to 6.5.0.202601 (incl.)

Vendor

Eclipse Foundation

Product

Eclipse ThreadX - NetX Duo

Versions

Default: unaffected

affected from 6.4.2 to 6.5.0.202601 (incl.)

Credits

@decsecre583 finder

References

Problem Types

CWE-415 Double free CWE
CWE-459 Incomplete cleanup CWE
CWE-908 Use of uninitialized resource CWE