All vulnerabilities
CVE-2026-45674
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
Description
Summary
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
Details
In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.
According to https://datatracker.ietf.org/doc/html/rfc5452#section-6
Care must be taken to only accept
data if it is known that the originator is authoritative for the
QNAME or a parent of the QNAME.
One very simple way to achieve this is to only accept data if it is
part of the domain for which the query was intended.
Impact
DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
8.7
Severity
High
Ecosystem
Java
Publish Date
June 8, 2026
Modified Date
June 12, 2026
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Affected Versions
