Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s DNS resolver uses a predictable pseudo‑random number generator to create transaction IDs and, by default, binds DNS queries to a static UDP source port. The low entropy of the transaction ID combined with the static source port greatly increases the feasibility of a Kaminsky‑style cache poisoning attack, allowing an attacker who can observe or influence DNS responses to inject forged records into the DNS cache of any application using Netty.

Affected Systems

The vulnerability affects the Netty framework for Java prior to version 4.1.135.Final and 4.2.15.Final. Any application or service that relies on these libraries and performs DNS resolution over UDP is at risk.

Risk and Exploitability

The CVSS score of 6.8 places the vulnerability in the medium severity range, while the EPSS score of less than 1% indicates that exploitation is currently rare and not widely reported. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly documented exploits exist. Based on the description, the likely attack vector involves an attacker capable of observing or injecting DNS responses to send forged replies to the Netty DNS resolver, thereby poisoning the resolver’s cache.

Generated by OpenCVE AI on June 13, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Netty library to v4.1.135.Final or v4.2.15.Final or later.
  • Confirm that all components of the application deployment reference the updated library version and rebuild or redeploy if necessary.
  • As a temporary containment measure, restrict UDP traffic to the DNS query ports and source IPs to limit the window for an attacker, then apply the patch as soon as possible.

Generated by OpenCVE AI on June 13, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmv7-r254-6q78 Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
History

Mon, 15 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Sat, 13 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1241
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
Weaknesses CWE-330
CWE-340
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:05:32.064Z

Reserved: 2026-05-12T21:59:25.666Z

Link: CVE-2026-45673

cve-icon Vulnrichment

Updated: 2026-06-12T16:05:28.208Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T15:16:27.417

Modified: 2026-06-15T02:14:01.047

Link: CVE-2026-45673

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T14:16:03Z

Links: CVE-2026-45673 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T13:30:09Z

Weaknesses
  • CWE-1241

    Use of Predictable Algorithm in Random Number Generator

  • CWE-330

    Use of Insufficiently Random Values

  • CWE-340

    Generation of Predictable Numbers or Identifiers