CVE-2026-11576: CWE-415 Double free in Eclipse Foundation Eclipse ThreadX - NetX Duo
CVE-2026-11576 is a high severity vulnerability in Eclipse Foundation's Eclipse ThreadX - NetX Duo affecting versions 6.4.2 through 6.5.0.202601. It involves a double free issue caused by a refactored error handling path in the HTTP server PUT process that calls fx_file_close() on an uninitialized file handle. This can lead to undefined behavior, including memory corruption or double-close errors.
AI Analysis
Technical Summary
The vulnerability arises from a shared cleanup label introduced in the security fix for CVE-2025-0728, which unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to this cleanup label before any file open operation, causing fx_file_close() to operate on an uninitialized file handle. This results in a double free condition or memory corruption in the HTTP server PUT process of Eclipse ThreadX - NetX Duo.
Potential Impact
Successful exploitation of this vulnerability can cause memory corruption or double free conditions, potentially leading to application crashes or denial of service. The CVSS score of 7.5 indicates high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). There is no indication of confidentiality or integrity impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Users should monitor Eclipse Foundation advisories for updates and apply any forthcoming patches promptly. Until a fix is available, cautious use or disabling of the affected HTTP server PUT functionality may reduce risk.
CVE-2026-11576: CWE-415 Double free in Eclipse Foundation Eclipse ThreadX - NetX Duo
Description
CVE-2026-11576 is a high severity vulnerability in Eclipse Foundation's Eclipse ThreadX - NetX Duo affecting versions 6.4.2 through 6.5.0.202601. It involves a double free issue caused by a refactored error handling path in the HTTP server PUT process that calls fx_file_close() on an uninitialized file handle. This can lead to undefined behavior, including memory corruption or double-close errors.
CVSS v3.1
Score 7.5high
Affected software
pkg:github/Eclipse ThreadX - NetX DuoRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from a shared cleanup label introduced in the security fix for CVE-2025-0728, which unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to this cleanup label before any file open operation, causing fx_file_close() to operate on an uninitialized file handle. This results in a double free condition or memory corruption in the HTTP server PUT process of Eclipse ThreadX - NetX Duo.
Potential Impact
Successful exploitation of this vulnerability can cause memory corruption or double free conditions, potentially leading to application crashes or denial of service. The CVSS score of 7.5 indicates high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). There is no indication of confidentiality or integrity impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Users should monitor Eclipse Foundation advisories for updates and apply any forthcoming patches promptly. Until a fix is available, cautious use or disabling of the affected HTTP server PUT functionality may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- eclipse
- Date Reserved
- 2026-06-08T11:16:50.888Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3510cef198dc38c1f1cdb2
Added to database: 6/19/2026, 9:50:06 AM
Last enriched: 6/19/2026, 10:04:57 AM
Last updated: 6/19/2026, 4:23:30 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.