HIGH 8.7 Maven
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
GHSA-676x-f7gg-47vc · CVE-2026-45674
Published · Modified
Description
Summary
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
Details
In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.
According to https://datatracker.ietf.org/doc/html/rfc5452#section-6
Care must be taken to only accept
data if it is known that the originator is authoritative for the
QNAME or a parent of the QNAME.
One very simple way to achieve this is to only accept data if it is
part of the domain for which the query was intended.
Impact
DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
References
- WEB https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45674
- PACKAGE https://github.com/netty/netty
- WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
Ready to move
Start Securing
Free, no credit card | First findings in minutes