How is CVE-2026-45290 exploited?

Network reachability (required): The attacker must reach the exposed RakNet service over the network; any publicly accessible host running the affected library is within range. Authentication (not-required): No credentials or account are needed; the malicious packets can be sent by any unauthenticated party. Victim interaction (not-required): No user action is required; the attacker sends packets directly to the service without involving any human on the target side. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

What is the impact of CVE-2026-45290?

Crashes the Netty event loop, rendering the entire affected service inoperable until it is manually restarted. All connections handled by the stalled event loop are dropped, cutting off every active client session simultaneously. Repeated triggering keeps the service down indefinitely with minimal attacker effort, due to low attack complexity and no authentication barrier.

Back to search

HIGHCVE-2026-45290Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-45290: Cloudburst Network has DoS in RakNet connection handling due to missing bound checks

Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260417.085727-30` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to exploit a vulnerability in Network to stall the netty event loop, rendering it inoperable. All consumers of the library should upgrade to at least version `1.0.0.CR3-20260417.085727-30`. There are no known workarounds beyond updating the library.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability in Cloudburst Network's RakNet connection handling allows an unauthenticated remote attacker to stall the Netty event loop by sending crafted packets that bypass missing bound checks. The service becomes entirely unresponsive once the event loop is stalled, making it inoperable until restarted. No fix version has been published to upstream registries yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-45290 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the affected Cloudburst Network library at versions prior to 1.0.0.CR3-20260417.085727-30.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each customer environment's compliance policy to surface the finding to the appropriate team inbox. Per-environment context, such as whether the affected image is internet-facing, is factored into priority routing.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released by the CloudburstMC project. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the exposed RakNet service over the network; any publicly accessible host running the affected library is within range.
AuthenticationNot required
No credentials or account are needed; the malicious packets can be sent by any unauthenticated party.
Victim interactionNot required
No user action is required; the attacker sends packets directly to the service without involving any human on the target side.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

Crashes the Netty event loop, rendering the entire affected service inoperable until it is manually restarted.
All connections handled by the stalled event loop are dropped, cutting off every active client session simultaneously.
Repeated triggering keeps the service down indefinitely with minimal attacker effort, due to low attack complexity and no authentication barrier.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-45290 is active for all customer images that include the CloudburstMC Network library below version 1.0.0.CR3-20260417.085727-30. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version appears upstream. For customers who opt into auto-remediation, that rebuild will be paired with a regression run and a PR opened against affected workloads. In the meantime, compensating controls worth considering include network-policy isolation to restrict inbound connections to the RakNet port to trusted sources only, egress filtering to reduce the service's attack surface, and feature-flag gating to disable the affected component where the application architecture permits it. The CVE description notes no known workarounds beyond updating the library, so limiting network exposure is the primary available mitigation until an upstream patch is available.

See how HarborGuard automates this

Affected packages

CloudburstMC / Network
< 1.0.0.CR3-20260417.085727-30

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/CloudburstMC/Network/security/advisories/GHSA-7x5h-rg5x-9gf3

Metrics

Get notified