CVE-2026-42579

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final

Description Netty's DNS codec fails to enforce RFC 1035 domain name constraints during encoding and decoding, creating a bidirectional attack surface. In the encoder, the encodeDomainName() function in io.netty.handler.codec.dns.DnsCodecUtil allows null bytes, labels exceeding 63 bytes, and total domain names exceeding 255 bytes. This can lead to DNS cache poisoning, domain validation bypass, and parser confusion where overlength labels are misinterpreted as compression pointers. Additionally, empty labels cause the domain name to be silently truncated. In the decoder, the decodeDomainName() function in io.netty.handler.codec.dns.DnsCodecUtil does not validate label or total name lengths, allowing malicious DNS responses to trigger unbounded memory allocation via StringBuilder growth, potentially leading to a denial of service.

Recommendations Update to version 4.1.133.Final or later. Update to version 4.2.13.Final or later. As a temporary workaround, restrict the use of the io.netty.handler.codec.dns.DnsCodecUtil module or validate user-influenced hostnames before passing them to the DNS encoder.