Skip to main content

Netty DNS Resolver EUVDEUVD-2026-36445

| CVE-2026-45673 MEDIUM
Use of Insufficiently Random Values (CWE-330)
2026-06-08 https://github.com/netty/netty GHSA-xmv7-r254-6q78
6.8
CVSS 3.1 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.8 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 23:37 vuln.today
Analysis Generated
Jun 08, 2026 - 23:37 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 238 maven packages depend on io.netty:netty-resolver-dns (6 direct, 232 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Summary

Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack).

Details

Two factors contribute to this vulnerability in io.netty.resolver.dns:

  • Predictable Query IDs: DnsQueryIdSpace manages 16-bit transaction IDs in buckets of 16,384 IDs. It initializes only the first bucket. When an ID is returned, it is pushed back into the bucket at a random index generated by java.util.concurrent.ThreadLocalRandom:
java
Random random = ThreadLocalRandom.current();
int insertionPosition = random.nextInt(count + 1);

Because ThreadLocalRandom is a predictable LCG and the resolver operates within a single bucket, the sequence of IDs is predictable once the PRNG state is mathematically recovered.

  • Default Static Source Port: DnsNameResolverBuilder defaults to a channelStrategy of ChannelPerResolver. This binds the DatagramChannel once, resulting in a static source port for all subsequent queries.

Combined, a static source port and predictable transaction IDs reduces the entropy required to secure DNS resolution against spoofing.

Impact

DNS Cache Poisoning. Downstream applications using the default Netty DNS resolver may connect to malicious IPs, leading to traffic interception or MitM attacks.

AnalysisAI

DNS cache poisoning in Netty's resolver component (io.netty:netty-resolver-dns) enables remote unauthenticated attackers to redirect downstream application traffic to attacker-controlled IPs through a Kaminsky-style spoofing attack. The vulnerability combines two compounding weaknesses present in the default configuration: DNS transaction IDs shuffled with a mathematically predictable Linear Congruential Generator (ThreadLocalRandom), and a static UDP source port resulting from the default ChannelPerResolver channel strategy. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the Netty project rated it high severity and released fixes in versions 4.1.135.Final and 4.2.15.Final.

Technical ContextAI

The vulnerability resides in two classes within io.netty.resolver.dns. First, DnsQueryIdSpace manages 16-bit DNS transaction IDs in a single 16,384-entry bucket and reinserts returned IDs at a position chosen by java.util.concurrent.ThreadLocalRandom, a Linear Congruential Generator (LCG) whose full internal state can be recovered mathematically after observing a sequence of its outputs - making the ID sequence practically predictable. Second, DnsNameResolverBuilder defaults to a ChannelPerResolver channel strategy, which binds a single DatagramChannel at startup and reuses it for all queries, producing a static UDP source port. RFC 5452 (Kaminsky attack mitigations) requires combined entropy across both the 16-bit transaction ID space and the source port space; eliminating source port randomization collapses effective entropy to at most 16 bits, and the LCG predictability reduces it further still. CWE-330 (Use of Insufficiently Random Values) correctly classifies the root cause. Affected artifacts are identified by CPE as pkg:maven/io.netty:netty-resolver-dns.

RemediationAI

The primary fix is to upgrade io.netty:netty-resolver-dns to version 4.1.135.Final for consumers of the 4.1.x branch, or to 4.2.15.Final for consumers of the 4.2.x branch; both releases are confirmed by the Netty project at https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final respectively. If an immediate upgrade is not possible, configure DnsNameResolverBuilder to use a per-query channel strategy rather than the default ChannelPerResolver, which restores source port randomization per DNS query at the cost of increased ephemeral socket churn - operators should verify OS-level ephemeral port range limits (net.ipv4.ip_local_port_range on Linux) before applying this workaround in high-throughput environments. As a complementary defense-in-depth measure for environments that cannot patch, routing DNS traffic through a DNSSEC-validating upstream resolver adds an out-of-band integrity layer, accepting the operational overhead of DNSSEC chain validation failures for unsigned zones. Patch vendor advisory: https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-36445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy