CVE-2026-47691: Netty has Insufficient Bailiwick Validation for NS Records
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Metrics
- CVSS v3.1
- 8.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a DNS cache poisoning vulnerability in the Netty network application framework, affecting all versions prior to 4.1.135.Final and 4.2.15.Final. The flaw is reachable over the network without any authentication, and it is triggered when Netty's DNS resolver accepts NS records from a subdomain's authoritative name server without enforcing bailiwick rules, allowing those records to overwrite cached entries for parent domains. Successful exploitation lets an attacker redirect all DNS resolutions under a parent domain (such as .co.uk) to attacker-controlled servers, enabling traffic interception and data tampering across every hostname resolved under that domain. Fix versions 4.1.135.Final and 4.2.15.Final have been published upstream; a patched-image rebuild at those versions is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-47691 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including GitHub Advisory Database) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Netty as a transitive dependency.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.7 HIGH and weighting it against each environment's active compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause fix versions 4.1.135.Final and 4.2.15.Final are published upstream, a patched-image rebuild at those versions is available on HarborGuard for any environment running an affected version of Netty. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must operate a malicious authoritative name server reachable over the internet and must be in a position to respond to DNS queries directed at a subdomain they control.
- AuthenticationNot required
No credentials or account of any kind are needed; the attack is conducted entirely through DNS protocol responses from a server the attacker controls.
- Victim interactionNot required
No user or administrator action is required; the poisoning occurs automatically whenever the vulnerable Netty resolver queries a subdomain under the attacker's control.
- Attack complexityDetail
Attack complexity is rated High because the attacker must control an authoritative name server for a relevant subdomain and time the DNS response correctly, introducing meaningful environmental preconditions beyond simply sending a packet.
Blast Radius
- An attacker redirects all future DNS lookups under a poisoned parent domain (for example, every hostname under .co.uk) to servers they control, allowing full interception of plaintext traffic to those hosts.
- Where TLS certificate validation is weak or absent, the attacker reads application-layer payloads including session tokens, API keys, and user credentials exchanged with any redirected hostname.
- The attacker serves modified responses to clients connecting to redirected hostnames, altering application data, injecting malicious content, or silently proxying and logging communications.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-47691 is active across all connected registries and pipelines as of ingestion, with findings scored at CVSS 8.7 HIGH and routed according to each environment's compliance policy. Because fix versions 4.1.135.Final and 4.2.15.Final are available upstream, a patched-image rebuild is available on HarborGuard for any environment running an affected Netty version. For customers who opt into auto-remediation, the typical flow includes an automated rebuild at the patched version, a regression test run, and a pull request opened against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or operational constraints prevent immediate remediation, compensating controls worth considering include applying strict egress network policies to limit which external DNS resolvers containers can reach, isolating workloads that perform external hostname resolution behind an internal DNS proxy with its own validated cache, and monitoring DNS response logs for unexpected NS record delegations to unfamiliar authoritative servers.
- netty / netty>= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N