PT-2026-47610 · Netty · Netty
Published
2026-06-08
·
Updated
2026-06-12
·
CVE-2026-45674
CVSS v3.1
8.7
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Netty versions prior to 4.1.135.Final
Netty versions prior to 4.2.15.Final
Description
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. In the
buildAliasMap() function within io.netty.resolver.dns.DnsResolveContext, the resolver processes the ANSWER section of a DNS response and caches all found CNAME records without verification. This can lead to DNS Cache Poisoning (Bailiwick Bypass), where an attacker provides unauthorized DNS data for a domain they do not control.Recommendations
Update to version 4.1.135.Final
Update to version 4.2.15.Final
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netty