Skip to main content

Netty CVE-2026-47691

| EUVDEUVD-2026-36489 CRITICAL
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-08 https://github.com/netty/netty GHSA-5pvg-856g-cp85
10.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
HIGH
qualitative
NVD
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable resolver with no auth or UI, but AC:H because attacker must run a subdomain NS and induce a query; scope changes to other domains, integrity is high, confidentiality only low (indirect via redirection).

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N
SUSE
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Red Hat
8.7 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 15, 2026 - 02:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 02:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 02:07 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 02:07 NVD
HIGH CRITICAL
CVSS changed
Jun 15, 2026 - 02:07 NVD
8.7 (HIGH) 10.0 (CRITICAL)
Source Code Evidence Fetched
Jun 08, 2026 - 23:33 vuln.today
Analysis Generated
Jun 08, 2026 - 23:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 238 maven packages depend on io.netty:netty-resolver-dns (6 direct, 232 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionNVD

Summary

Netty's DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).

Details

In io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName.

This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the handleWithAdditional method caches the associated A records from the ADDITIONAL section directly into the authoritativeDnsServerCache under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk..

The io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache method only prevents caching if the record is for the root zone (dots == 1).

Impact

DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.

AnalysisAI

DNS cache poisoning in Netty's netty-resolver-dns library (versions prior to 4.1.135.Final and 4.2.0.Final through 4.2.14.Final) allows an attacker who controls an authoritative name server for any subdomain to inject forged NS and A records for parent zones such as .co.uk into the resolver's authoritativeDnsServerCache. The bailiwick check in DnsResolveContext.AuthoritativeNameServerList only blocks records targeting the root zone, so any Java application embedding Netty's resolver can be steered to attacker-controlled name servers for unrelated domains. EPSS is only 0.01% and no public exploit identified at time of analysis, but the SSVC technical impact is rated total.

Technical ContextAI

Netty's netty-resolver-dns is a non-blocking DNS client used widely across the JVM ecosystem (Vert.x, gRPC-Java, Apache Pulsar, Reactor Netty, Spring WebFlux, Hadoop, Elasticsearch transports, etc.). The flaw is a CWE-345 (Insufficient Verification of Data Authenticity) violation of the bailiwick rule defined in RFC 8499 / RFC 5452: AuthoritativeNameServerList#add accepts any NS record from the AUTHORITY section whose name is merely a suffix of the question name, and AuthoritativeNameServerList#cache only rejects records when the cached name has exactly one label (root protection). This lets a delegation response for evil.co.uk include an NS for co.uk, and the glue A records from ADDITIONAL are then keyed under co.uk in the authoritative server cache and reused for every subsequent query under that TLD. The affected Maven artifacts identified by CPE are pkg:maven/io.netty:netty-resolver-dns in both the 4.1.x and 4.2.x branches.

RemediationAI

Vendor-released patch: upgrade io.netty:netty-resolver-dns to 4.1.135.Final on the 4.1 branch (https://github.com/netty/netty/releases/tag/netty-4.1.135.Final) or to 4.2.15.Final on the 4.2 branch (https://github.com/netty/netty/releases/tag/netty-4.2.15.Final); refer to GHSA-5pvg-856g-cp85 for the full advisory. Because netty-resolver-dns is almost always pulled in transitively, audit dependency trees (mvn dependency:tree / gradle dependencies) and pin the resolver artifact explicitly if upstream BOMs have not yet shipped. As a compensating control until upgrade, switch affected services to the JDK's default InetAddress / DnsClient resolver (sacrifices Netty's non-blocking I/O and may regress latency), or route resolution through a hardened recursive resolver that performs its own bailiwick checks (e.g., Unbound, BIND with strict harden-glue / harden-below-nxdomain) and disable Netty's local cache so it cannot retain poisoned records - at the cost of higher upstream query load.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-47691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy