VDB

CVE-2026-47691

CVE-2026-47691 PUBLISHED CVSS 8.7 HIGH

Reported by GitHub_M · Published June 12, 2026

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Risk Scores

CVSS 3.1
8.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected Products

VendorProductVersions
nettynetty>= 4.2.0.Final, < 4.2.15.Final, < 4.1.135.Final
chainguardelasticsearch-8.190, 0, 0
Red HatRed Hat build of Debezium 3
wolfitrino0, 0
Red HatRed Hat Fuse 7
Red HatRed Hat JBoss Enterprise Application Platform Expansion Pack
Red HatRed Hat JBoss Enterprise Application Platform 8
Red HatRed Hat build of Apache Camel - HawtIO 4
Red HatStreams for Apache Kafka 2.9.4
Mavenio.netty:netty-resolver-dns0, 0, 0
Red Hatstreams for Apache Kafka 2
Red HatOpenShift Serverless
chainguardapache-nifi0, 0, 0
Red HatRed Hat JBoss Enterprise Application Platform 7
Red HatRed Hat build of Quarkus 3.27.4.SP1
chainguardelasticsearch-fips-8.190, 0, 0
chainguardapache-pulsar-fips-4.00, 0, 0
Red HatRed Hat OpenShift Dev Spaces
Red HatRed Hat Single Sign-On 7
wolfiapache-pulsar-4.20, 0, 0

…and 39 more

Timeline

  • Jun 8, 2026 CVE Published
  • Jun 9, 2026 Security Advisory
  • Jun 17, 2026 EPSS Score
  • Jun 17, 2026 Distribution Patch
  • Jun 17, 2026 Security Advisory
  • Jun 18, 2026 Distribution Patch
  • Jun 18, 2026 Security Advisory
  • Jun 18, 2026 Distribution Patch
  • Jun 18, 2026 Security Advisory
  • Jul 3, 2026 Distribution Patch
  • Jul 3, 2026 Security Advisory
  • Jul 9, 2026 Distribution Patch
Open in Interactive Console →
$ Console Community · 100/wk Open console ›