Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty's DNS resolver component fails to enforce bailiwick checks on NS records in the AUTHORITY section, allowing an attacker who controls an authoritative name server for a subdomain to inject malicious A records for a parent domain. This is a CWE-345 vulnerability, indicating insufficient validation of the bailiwick of NS records. The flaw can be exploited to poison the Netty cache so that future resolutions for the parent domain use attacker‑controlled IP addresses, potentially enabling man‑in‑the‑middle attacks or traffic redirection.

Affected Systems

The vulnerability affects Netty releases prior to 4.1.135.Final and 4.2.15.Final. Systems running these Netty versions in any network–intensive application are exposed.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. The EPSS score of less than 1% suggests exploitation is unlikely in the wild, and it is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be able to serve as an authoritative name server for a subdomain and to inject a parent‑domain cache entry through standard DNS query traffic to the vulnerable Netty instance.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to 4.1.135.Final or later, or to 4.2.15.Final or later.
  • If an immediate update is not feasible, isolate the application from untrusted DNS traffic by restricting outbound queries to internal or verified name servers.
  • Ensure that proactive DNS caching is disabled or that cache entries are validated against proper bailiwick rules before use.

Generated by OpenCVE AI on June 12, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5pvg-856g-cp85 Netty has Insufficient Bailiwick Validation for NS Records
History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty has Insufficient Bailiwick Validation for NS Records
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T16:07:56.967Z

Reserved: 2026-05-19T21:18:20.403Z

Link: CVE-2026-47691

cve-icon Vulnrichment

Updated: 2026-06-12T16:07:52.704Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T16:16:30.310

Modified: 2026-06-12T16:18:27.287

Link: CVE-2026-47691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:00:07Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity