Netty has Insufficient Bailiwick Validation for NS Records
GHSA-5pvg-856g-cp85 · CVE-2026-47691
Published · Modified
Description
Summary
Netty's DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).
Details
In io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName.
This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the handleWithAdditional method caches the associated A records from the ADDITIONAL section directly into the authoritativeDnsServerCache under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk..
The io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache method only prevents caching if the record is for the root zone (dots == 1).
Impact
DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.
References
- WEB https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-47691
- PACKAGE https://github.com/netty/netty
- WEB https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- WEB https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
Ready to move
Start Securing
Free, no credit card | First findings in minutes