CVE-2026-47691

Name of the Vulnerable Software and Affected Versions Netty (ionetty:netty-resolver-dns) (affected versions not specified)

Description Insufficient validation of the bailiwick of NS records in DnsResolveContext allows for DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains. Specifically, the add() function in io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList accepts any NS record from the AUTHORITY section if the record's name is a suffix of the questionName. Consequently, the handleWithAdditional() function caches associated A records from the ADDITIONAL section into the authoritativeDnsServerCache under the parent domain's key, bypassing bailiwick rules—which dictate that a server authoritative for a subdomain should not be trusted for its parent. The cache() function in io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList only prevents caching for the root zone.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.