CVE-2026-45673

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Affected products

netty / netty>= 4.2.0.Final, < 4.2.15.Final – >= 4.2.0.Final, < 4.2.15.Final
netty / netty< 4.1.135.Final – < 4.1.135.Final

References

VENDOR_ADVISORYhttps://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78
PATCHhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final
PATCHhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final