CVE-2026-45674 — Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Re

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

How to fix CVE-2026-45674

To remediate CVE-2026-45674, upgrade the affected package to a fixed version below.

Debian/netty—no fix listed
—upgrade to 4.2.15.Final or later

Is CVE-2026-45674 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45674.

Affected packages (2)

from 0
>= 4.2.0.Final, < 4.2.15.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-45674
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-45674
PATCHgithub.com/netty/netty
WEBgithub.com/netty/netty/releases/tag/netty-4.1.135.Final
WEB