CVE-2026-45674 | THREATINT

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

PUBLISHED Reserved 2026-05-12 | Published 2026-06-12 | Updated 2026-06-16 | Assigner GitHub_M

HIGH: 8.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Problem types

CWE-345: Insufficient Verification of Data Authenticity

Product status

>= 4.2.0.Final, < 4.2.15.Final

affected

< 4.1.135.Final

affected

References

github.com/.../netty/security/advisories/GHSA-676x-f7gg-47vc

github.com/netty/netty/releases/tag/netty-4.1.135.Final

github.com/netty/netty/releases/tag/netty-4.2.15.Final

cve.org (CVE-2026-45674)

nvd.nist.gov (CVE-2026-45674)

Download JSON