Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s DNS resolver uses a predictable pseudo‑random number generator to create transaction IDs and, by default, binds DNS queries to a static UDP source port. The low entropy of the transaction ID combined with the static source port greatly increases the feasibility of a Kaminsky‑style cache poisoning attack, allowing an attacker who can observe or influence DNS responses to inject forged records into the DNS cache of any application using Netty.

Affected Systems

The vulnerability affects the Netty framework for Java prior to version 4.1.135.Final and 4.2.15.Final. Any application or service that relies on these libraries and performs DNS resolution over UDP is at risk.

Risk and Exploitability

The CVSS score of 6.8 places the vulnerability in the medium severity range, while the EPSS score of less than 1% indicates that exploitation is currently rare and not widely reported. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly documented exploits exist. Based on the description, the likely attack vector involves an attacker capable of observing or injecting DNS responses to send forged replies to the Netty DNS resolver, thereby poisoning the resolver’s cache.

Generated by OpenCVE AI on June 12, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Netty library to v4.1.135.Final or v4.2.15.Final or later.
  • Confirm that all components of the application deployment reference the updated library version and rebuild or redeploy if necessary.
  • As a temporary containment measure, restrict UDP traffic to the DNS query ports and source IPs to limit the window for an attacker, then apply the patch as soon as possible.

Generated by OpenCVE AI on June 12, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmv7-r254-6q78 Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
History

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
Weaknesses CWE-330
CWE-340
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:05:32.064Z

Reserved: 2026-05-12T21:59:25.666Z

Link: CVE-2026-45673

cve-icon Vulnrichment

Updated: 2026-06-12T16:05:28.208Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T15:16:27.417

Modified: 2026-06-12T15:55:06.377

Link: CVE-2026-45673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-330

    Use of Insufficiently Random Values

  • CWE-340

    Generation of Predictable Numbers or Identifiers