CVE-2026-47691
Undergoing Analysis Undergoing Analysis - In Progress
DNS Cache Poisoning in Netty Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47691
EUVD
EUVD-2026-36489
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
netty netty to 4.2.15.Final (exc)
netty netty to 4.1.135.Final (exc)
netty netty to 4.2.14.Final (inc)
netty netty to 4.1.134.Final (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Netty's DNS resolver in versions prior to 4.1.135.Final and 4.2.15.Final. The issue is due to insufficient validation of NS (Name Server) records' bailiwick in the DnsResolveContext class. Specifically, the resolver accepts NS records from the AUTHORITY section even if they claim authority over a parent domain, which they should not. This allows an attacker who controls an authoritative name server for a subdomain to poison the DNS cache for the parent domain.

The poisoned cache stores malicious A records under the parent domain's key, causing all future DNS queries under that parent domain to be resolved incorrectly. This bypasses standard bailiwick rules that prevent a subdomain's name server from being trusted for its parent domain.

The vulnerability is classified as high severity with a CVSS score of 8.7 and does not require privileges or user interaction to exploit. Patched versions 4.1.135.Final and 4.2.15.Final fix this issue.

Compliance Impact

The vulnerability allows DNS cache poisoning, which can lead to incorrect DNS responses and potentially redirect users to malicious sites or disrupt network services.

Such manipulation of DNS responses can result in unauthorized access or interception of data, which may impact the confidentiality and integrity of sensitive information.

Therefore, organizations using affected versions of Netty could face challenges in maintaining compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and tampering.

Impact Analysis

This vulnerability can lead to DNS cache poisoning, where an attacker can inject malicious DNS records into the cache used by applications relying on Netty's DNS resolver. This can cause users or systems to be redirected to malicious sites or services.

The impact includes potential redirection to phishing or malware sites, disruption of network services, and general compromise of DNS integrity for the affected parent domains.

Because the poisoned cache affects all future DNS resolutions under the parent domain, the scope of impact can be widespread and persistent until the cache is cleared or the vulnerability is patched.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Netty to a patched version where the issue is fixed.

  • Upgrade to Netty version 4.1.135.Final or later.
  • Alternatively, upgrade to Netty version 4.2.15.Final or later.

These versions include fixes that properly validate the bailiwick of NS records, preventing DNS cache poisoning.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart