HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45674Published Modified CNA GitHub_M

CVE-2026-45674: Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A DNS cache poisoning vulnerability exists in Netty's DNS resolver, specifically in the DnsResolveContext component, which fails to validate whether CNAME records in DNS responses actually belong to the domain being queried (a check known as bailiwick validation). The vulnerability is remotely reachable over the network, requires no authentication, and involves no victim interaction, though exploitation is conditional on timing and network positioning due to high attack complexity. Successful exploitation lets an attacker redirect DNS resolution to attacker-controlled servers, enabling full compromise of confidentiality and integrity of data exchanged over connections the poisoned DNS entry governs. HarborGuard is tracking this advisory for patch availability, as no fix version has been published upstream at this time.

HarborGuard Coverage

Detection

Detection of CVE-2026-45674 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle Netty as a dependency. Any image containing a vulnerable Netty version in the affected range is flagged automatically on each scan cycle.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 HIGH and weights it further against each customer organization's compliance policy, taking into account asset criticality and exposure context before routing the alert to the appropriate team inbox. Per-environment policy weighting ensures that internet-facing workloads using Netty's DNS resolver surface at the top of the triage queue.

Available
Patch

Because no upstream fix has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment versions 4.1.135.Final or 4.2.15.Final are released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically as soon as a confirmed fix version is detected.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the target's DNS resolution traffic over the network, positioning themselves to inject malicious DNS responses.

  • AuthenticationNot required

    No credentials or prior account access are needed to attempt this attack; an unauthenticated network-positioned attacker can send crafted DNS responses.

  • Victim interactionNot required

    No user action is required; exploitation targets the DNS resolver's automated response-processing logic without any human interaction.

  • Attack complexityDetail

    Exploitation is rated high complexity, requiring the attacker to win a race condition or otherwise position themselves to deliver a forged DNS response before the legitimate reply arrives.

Blast Radius

  • Redirects DNS resolution for targeted hostnames to attacker-controlled servers, allowing the attacker to intercept or proxy all application-layer traffic the affected service routes through those names.
  • Reads plaintext or decryptable application data transmitted to the attacker's spoofed endpoint, including credentials, session tokens, and API payloads.
  • Modifies data in transit by serving attacker-controlled responses, allowing tampering with any content the application fetches via the poisoned DNS entry.
  • Scope extends beyond the originating container: because CVSS scope is changed, downstream services that trust the affected Netty resolver's answers are also exposed to misdirected traffic.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active across all customer environments, with every image containing a Netty version in the affected range flagged on each scan cycle. Because no upstream patch exists yet, HarborGuard will not generate a patched-image rebuild until versions 4.1.135.Final or 4.2.15.Final are confirmed published. In the interim, compensating controls that customers can apply include isolating affected workloads behind restrictive network policies that limit outbound DNS to a single trusted recursive resolver, enabling DNS-over-TLS or DNS-over-HTTPS at the infrastructure layer to make response injection significantly harder, and disabling or replacing Netty's built-in DNS resolver with the platform's system resolver where the application architecture permits. For customers with auto-remediation enabled, the moment a fix version is detected upstream, HarborGuard will automatically trigger a rebuilt image, execute a regression test run, and open a PR against affected workloads.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
References