{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-45674: Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-45674","status":"final","version":"1","initial_release_date":"2026-06-12T14:17:50.203Z","current_release_date":"2026-06-13T03:56:01.184Z","revision_history":[{"date":"2026-06-12T14:17:50.203Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-45674 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-45674"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-45674"},{"category":"external","summary":"https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc","url":"https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc"},{"category":"external","summary":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final","url":"https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"},{"category":"external","summary":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final","url":"https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}]},"product_tree":{"branches":[{"category":"vendor","name":"netty","branches":[{"category":"product_name","name":"netty","branches":[{"category":"product_version","name":">= 4.2.0.Final, < 4.2.15.Final","product":{"name":"netty netty >= 4.2.0.Final, < 4.2.15.Final","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"< 4.1.135.Final","product":{"name":"netty netty < 4.1.135.Final","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-45674","title":"Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records","notes":[{"category":"description","text":"Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}