CVE-2026-45674
ADVISORY - githubSummary
Summary
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
Details
In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.
According to https://datatracker.ietf.org/doc/html/rfc5452#section-6
Care must be taken to only accept
data if it is known that the originator is authoritative for the
QNAME or a parent of the QNAME.
One very simple way to achieve this is to only accept data if it is
part of the domain for which the query was intended.
Impact
DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
Common Weakness Enumeration (CWE)
ADVISORY - github
Insufficient Verification of Data Authenticity
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-676x-f7gg-47vc
EXPLOITABILITY SCORE
2.2
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)