CVE-2026-45674 | Netty is a network application framework for development of … | CVSS 8.7 HIGH

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metadata

CVE ID: CVE-2026-45674
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-12 21:59 UTC
Published: 2026-06-12 14:17 UTC
Last updated: 2026-06-13 03:56 UTC
Primary CWE: CWE-345
CWE-345: Insufficient Verification of Data Authenticity
Vendor / Product: netty / netty
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
netty	netty	—	>= 4.2.0.Final, < 4.2.15.Final, < 4.1.135.Final

Weakness (CWE)

CWE	Source	Description
CWE-345	cna	CWE-345: Insufficient Verification of Data Authenticity

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References (3)

https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
https://github.com/netty/netty/releases/tag/netty-4.1.135.Final https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
https://github.com/netty/netty/releases/tag/netty-4.2.15.Final https://github.com/netty/netty/releases/tag/netty-4.2.15.Final