CVE-2026-45674

ADVISORY - github

Summary

Summary

Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.

Details

In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.

According to https://datatracker.ietf.org/doc/html/rfc5452#section-6

Care must be taken to only accept
   data if it is known that the originator is authoritative for the
   QNAME or a parent of the QNAME.
   One very simple way to achieve this is to only accept data if it is
   part of the domain for which the query was intended.

Impact

DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.

EPSS Score: 0.00224 (0.129)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Insufficient Verification of Data Authenticity

ADVISORY - github

Insufficient Verification of Data Authenticity

Origin Validation Error


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in