CVE-2026-45674

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected products

netty / netty>= 4.2.0.Final, < 4.2.15.Final – >= 4.2.0.Final, < 4.2.15.Final
netty / netty< 4.1.135.Final – < 4.1.135.Final

References

VENDOR_ADVISORYhttps://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
PATCHhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final
PATCHhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final