CVE-2026-42579
Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)
In short
Netty's DNS handling doesn't properly validate domain names according to standard rules, allowing attackers to send crafted DNS responses or inject malicious hostnames that bypass safety checks.
Technical detail
The DNS codec in Netty versions prior to 4.2.13.Final and 4.1.133.Final fails to enforce RFC 1035 domain name constraints in both encoder and decoder paths. Attackers can leverage malicious DNS responses (decoder attack vector) or user-controlled hostnames (encoder attack vector) to trigger input validation bypass, potentially leading to denial of service or unexpected behavior.
Summary generated and translated by AI from the official description.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
netty · nettyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →