Skip to main content

Netty EUVDEUVD-2026-36450

| CVE-2026-45674 CRITICAL
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-08 https://github.com/netty/netty GHSA-676x-f7gg-47vc
10.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
HIGH
qualitative
NVD
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable cache poisoning with no auth or UI; AC:H because the attacker must induce or shape a DNS response; scope changes as cached entries affect other consumers; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:N
SUSE
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Red Hat
8.7 HIGH
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 15, 2026 - 02:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 02:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 02:22 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 02:22 NVD
HIGH CRITICAL
CVSS changed
Jun 15, 2026 - 02:22 NVD
8.7 (HIGH) 10.0 (CRITICAL)
Source Code Evidence Fetched
Jun 08, 2026 - 23:32 vuln.today
Analysis Generated
Jun 08, 2026 - 23:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 238 maven packages depend on io.netty:netty-resolver-dns (6 direct, 232 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionNVD

Summary

Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.

Details

In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.

According to https://datatracker.ietf.org/doc/html/rfc5452#section-6

Care must be taken to only accept
   data if it is known that the originator is authoritative for the
   QNAME or a parent of the QNAME.
   One very simple way to achieve this is to only accept data if it is
   part of the domain for which the query was intended.

Impact

DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.

AnalysisAI

DNS cache poisoning in Netty's netty-resolver-dns component (versions before 4.1.135.Final and 4.2.x before 4.2.15.Final) lets remote attackers inject forged CNAME records into the resolver cache by exploiting missing bailiwick (origin) validation in DnsResolveContext#buildAliasMap. Any JVM application relying on Netty for asynchronous DNS resolution may be redirected to attacker-controlled hosts, enabling man-in-the-middle on subsequent traffic. No public exploit identified at time of analysis, EPSS is 0.01%, and the issue is not on the CISA KEV list, but CVSS rates it 10.0 due to the scope-changing integrity/confidentiality impact.

Technical ContextAI

Netty's netty-resolver-dns is an asynchronous DNS client used by Netty-based HTTP, gRPC, and reactive networking stacks (Reactor Netty, Spring WebFlux, Armeria, etc.). The root cause is CWE-345 (Insufficient Verification of Data Authenticity): when parsing the ANSWER section of a DNS response, DnsResolveContext#buildAliasMap caches every CNAME record returned without checking that the record's owner name lies within the bailiwick of the queried QNAME, contrary to RFC 5452 §6. An authoritative server (or off-path attacker who can supply any DNS answer the resolver consumes) can therefore stuff CNAME records for unrelated zones - for example bank.com IN CNAME evil.attacker.com - into a response to a different query, and Netty will cache them as authoritative aliases.

RemediationAI

Upgrade io.netty:netty-resolver-dns to the vendor-released patched versions 4.1.135.Final (4.1.x line) or 4.2.15.Final (4.2.x line) per https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final; in Maven/Gradle multi-module projects use a BOM/dependencyManagement pin to ensure transitive consumers (Reactor Netty, gRPC, Spring) pick up the fix. If immediate upgrade is impossible, switch the resolver to the JDK's built-in DnsAddressResolverGroup or InetSocketAddress.createUnresolved + JDK InetAddress (trading off Netty's async non-blocking resolution for blocking JDK behavior, which can hurt throughput on Netty event loops), restrict outbound DNS to a trusted recursive resolver over DoT/DoH so an off-path attacker cannot inject answers, and avoid resolving attacker-controlled hostnames (disable user-supplied URL fetching or run it through an isolated egress proxy that performs its own validated resolution).

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-36450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy