GHSA-676x-f7gg-47vc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-676x-f7gg-47vc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-676x-f7gg-47vc/GHSA-676x-f7gg-47vc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-676x-f7gg-47vc
- Aliases
-
- CVE-2026-45674
- Downstream
- Related
- Published
- 2026-06-08T23:02:26Z
- Modified
- 2026-06-12T19:45:11.461282859Z
- Severity
-
- 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
- Details
-
Summary
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
Details
In
io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.According to https://datatracker.ietf.org/doc/html/rfc5452#section-6
Care must be taken to only accept data if it is known that the originator is authoritative for the QNAME or a parent of the QNAME. One very simple way to achieve this is to only accept data if it is part of the domain for which the query was intended.Impact
DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-08T23:02:26Z", "nvd_published_at": "2026-06-12T15:16:27Z", "severity": "HIGH", "cwe_ids": [ "CWE-345" ] }- References
Affected packages
Maven / io.netty:netty-resolver-dns
Package
- Name
- io.netty:netty-resolver-dns
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-resolver-dns
Maven / io.netty:netty-resolver-dns
Package
- Name
- io.netty:netty-resolver-dns
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-resolver-dns
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.1.135.Final
Affected versions
4.*
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final
4.1.115.Final
4.1.116.Final
4.1.117.Final
4.1.118.Final
4.1.119.Final
4.1.120.Final
4.1.121.Final
4.1.122.Final
4.1.123.Final
4.1.124.Final
4.1.125.Final
4.1.126.Final
4.1.127.Final
4.1.128.Final
4.1.129.Final
4.1.130.Final
4.1.131.Final
4.1.132.Final
4.1.133.Final
4.1.134.Final