GHSA-676x-f7gg-47vc
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
Details
### Summary Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
### Details In `io.netty.resolver.dns.DnsResolveContext#buildAliasMap`, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.
According to https://datatracker.ietf.org/doc/html/rfc5452#section-6
``` Care must be taken to only accept data if it is known that the originator is authoritative for the QNAME or a parent of the QNAME. One very simple way to achieve this is to only accept data if it is part of the domain for which the query was intended. ```
### Impact DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
Are you affected?
Enter the version of the package you're using.
Affected packages
4.2.0.Final Fixed in: 4.2.15.Final # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-resolver-dns 0 Fixed in: 4.1.135.Final # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-resolver-dns References
- https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-45674 [ADVISORY]
- https://access.redhat.com/errata/RHSA-2026:26017 [WEB]
- https://access.redhat.com/errata/RHSA-2026:26018 [WEB]
- https://access.redhat.com/errata/RHSA-2026:26586 [WEB]
- https://access.redhat.com/errata/RHSA-2026:34608 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-45674 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2488400 [WEB]
- https://github.com/netty/netty [PACKAGE]
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final [WEB]
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final [WEB]
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45674.json [WEB]