CVE-2026-47691
Reported by GitHub_M · Published June 12, 2026
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| netty | netty | >= 4.2.0.Final, < 4.2.15.Final, < 4.1.135.Final |
| chainguard | elasticsearch-8.19 | 0, 0, 0 |
| Red Hat | Red Hat build of Debezium 3 | |
| wolfi | trino | 0, 0 |
| Red Hat | Red Hat Fuse 7 | |
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 | |
| Red Hat | Red Hat build of Apache Camel - HawtIO 4 | |
| Red Hat | Streams for Apache Kafka 2.9.4 | |
| Maven | io.netty:netty-resolver-dns | 0, 0, 0 |
| Red Hat | streams for Apache Kafka 2 | |
| Red Hat | OpenShift Serverless | |
| chainguard | apache-nifi | 0, 0, 0 |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7 | |
| Red Hat | Red Hat build of Quarkus 3.27.4.SP1 | |
| chainguard | elasticsearch-fips-8.19 | 0, 0, 0 |
| chainguard | apache-pulsar-fips-4.0 | 0, 0, 0 |
| Red Hat | Red Hat OpenShift Dev Spaces | |
| Red Hat | Red Hat Single Sign-On 7 | |
| wolfi | apache-pulsar-4.2 | 0, 0, 0 |
…and 39 more
Timeline
- Jun 8, 2026 CVE Published
- Jun 9, 2026 Security Advisory
- Jun 17, 2026 EPSS Score
- Jun 17, 2026 Distribution Patch
- Jun 17, 2026 Security Advisory
- Jun 18, 2026 Distribution Patch
- Jun 18, 2026 Security Advisory
- Jun 18, 2026 Distribution Patch
- Jun 18, 2026 Security Advisory
- Jul 3, 2026 Distribution Patch
- Jul 3, 2026 Security Advisory
- Jul 9, 2026 Distribution Patch
References
- https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85 x_refsource_CONFIRM
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final x_refsource_MISC
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-47691 advisory
- https://github.com/advisories/GHSA-5pvg-856g-cp85 advisory
- https://access.redhat.com/security/cve/CVE-2026-47691 vdb
- RHBZ#2488439 issue
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47691.json url
- https://access.redhat.com/errata/RHSA-2026:26586 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:26018 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:26017 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:34608 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:37390 vendor-advisory