GHSA-5pvg-856g-cp85
Netty has Insufficient Bailiwick Validation for NS Records
Details
### Summary Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`).
### Details In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName.
This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk..
The `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache` method only prevents caching if the record is for the root zone (dots == 1).
### Impact DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.
Are you affected?
Enter the version of the package you're using.
Affected packages
4.2.0.Final Fixed in: 4.2.15.Final # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-resolver-dns 0 Fixed in: 4.1.135.Final # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-resolver-dns References
- https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-47691 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2026:26017 [WEB]
- https://access.redhat.com/errata/RHSA-2026:26018 [WEB]
- https://access.redhat.com/errata/RHSA-2026:26586 [WEB]
- https://access.redhat.com/errata/RHSA-2026:34608 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-47691 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2488439 [WEB]
- https://github.com/netty/netty [PACKAGE]
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final [WEB]
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final [WEB]
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47691.json [WEB]