Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty is an asynchronous, event‑driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, its DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This lack of input validation allows malicious DNS responses to bypass validation, leading to crashes or denial of service, and permits user‑influenced hostnames to be sent unchecked by the encoder. The flaw stems from improper input validation (CWE‑20) and buffer handling weaknesses (CWE‑1286), creating a vulnerability that can exhaust resources or crash the application.

Affected Systems

Any software that incorporates Netty 4.x and relies on the DNS codec before version 4.2.13.Final or 4.1.133.Final is vulnerable. This includes all deployments that use the netty:netty library without the mentioned version update.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. EPSS is <1%, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network‑based; an attacker can craft DNS responses or supply hostnames that trigger improper handling. The weakness is classified as CWE‑20 and CWE‑1286, which together allow exploitation without local privileges or special conditions, making exploitation likely in exposed services.

Generated by OpenCVE AI on May 28, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.2.13.Final or 4.1.133.Final or later, ensuring full RFC 1035 domain name validation is enforced.
  • If an immediate upgrade is not feasible, disable or remove the Netty DNS codec from the application stack, or replace it with a custom DNS handler that validates hostnames according to RFC 1035.
  • Deploy monitoring to detect unusually large or malformed DNS responses and implement rate limiting on DNS traffic to mitigate potential denial of service attacks.
  • Ensure that any custom DNS handler enforces RFC 1035 constraints to mitigate input validation and buffer handling weaknesses (CWE‑20, CWE‑1286).

Generated by OpenCVE AI on May 28, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cm33-6792-r9fm Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)
History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 18 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)
Weaknesses CWE-20
CWE-400
CWE-626
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T15:40:22.534Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42579

cve-icon Vulnrichment

Updated: 2026-05-18T15:39:13.328Z

cve-icon NVD

Status : Modified

Published: 2026-05-13T19:17:23.353

Modified: 2026-05-18T17:16:32.397

Link: CVE-2026-42579

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T18:01:52Z

Links: CVE-2026-42579 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:45:14Z

Weaknesses