Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47691

CVE-2026-47691: Netty DNS Cache Poisoning Vulnerability

CVE-2026-47691 is a DNS cache poisoning vulnerability in Netty that allows attackers to poison parent domain caches through malicious NS records. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47691 Overview

CVE-2026-47691 is a DNS cache poisoning vulnerability in Netty, a widely deployed asynchronous network application framework used to build protocol servers and clients in Java. The flaw resides in io.netty.resolver.dns.DnsResolveContext and stems from insufficient bailiwick validation when processing NS records returned in the AUTHORITY section of DNS responses. An attacker controlling an authoritative name server for a subdomain can inject records that poison the resolver cache for parent domains such as .co.uk. The issue affects Netty versions prior to 4.1.135.Final and 4.2.15.Final [CWE-345: Insufficient Verification of Data Authenticity].

Critical Impact

Successful exploitation allows an attacker to redirect traffic for entire parent zones, enabling man-in-the-middle attacks, credential theft, and downstream compromise of any service that resolves names through a vulnerable Netty-based client.

Affected Products

  • Netty versions prior to 4.1.135.Final
  • Netty versions prior to 4.2.15.Final
  • Applications and frameworks embedding netty:netty DNS resolver components

Discovery Timeline

  • 2026-06-12 - CVE-2026-47691 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47691

Vulnerability Analysis

The vulnerability exists in Netty's DNS resolver logic, specifically in the AuthoritativeNameServerList#add method inside DnsResolveContext. This method accepts any NS record from the AUTHORITY section provided that the record's name is a suffix of the original questionName. The check enforces only a suffix relationship rather than a proper bailiwick rule.

After accepting the NS record, the handleWithAdditional method stores the associated A records from the ADDITIONAL section directly into the authoritativeDnsServerCache under the parent domain's key. The poisoned entries then drive every subsequent resolution scoped to that parent domain.

The practical consequence is that a server authoritative only for a child label is treated as authoritative for ancestor labels. This violates a foundational DNS trust boundary and breaks the assumption that delegations flow strictly downward from the parent to the child.

Root Cause

The root cause is a missing bailiwick check. RFC-compliant resolvers require that glue and NS records returned by an authoritative server fall within or below the zone for which that server is authoritative. Netty's implementation reduced this requirement to a suffix match against the queried name, which is necessary but not sufficient. A name server authoritative for evil.example.co.uk could therefore inject NS and A records keyed under co.uk.

Attack Vector

An attacker registers or controls a subdomain and operates its authoritative name server. The attacker induces a victim application using Netty's DNS resolver to issue a query for a name under that subdomain. In the response, the attacker includes AUTHORITY section NS records naming a parent zone and ADDITIONAL section A records pointing to attacker-controlled IP addresses. Netty caches these records under the parent domain key, and all later lookups under that parent resolve to the attacker's infrastructure until the cache entry expires.

No authentication, user interaction, or local access is required. The attack is fully remote and operates over standard DNS traffic. See the GitHub Security Advisory GHSA-5pvg-856g-cp85 for the maintainer's technical description.

Detection Methods for CVE-2026-47691

Indicators of Compromise

  • DNS responses where AUTHORITY section NS records name a public suffix or parent zone that the responding server is not delegated to serve.
  • ADDITIONAL section A records associated with out-of-bailiwick NS entries, particularly for top-level or effective top-level domains.
  • Sudden resolution drift where multiple unrelated hostnames under a common parent domain begin resolving to the same unexpected IP address.

Detection Strategies

  • Inventory Java applications and dependencies for netty:netty versions older than 4.1.135.Final and 4.2.15.Final using software composition analysis tooling.
  • Inspect outbound DNS responses at egress points and flag responses whose AUTHORITY records cross bailiwick boundaries.
  • Correlate DNS resolution telemetry with network connection telemetry to identify applications connecting to unexpected destinations after a resolution event.

Monitoring Recommendations

  • Capture and retain DNS query and response pairs from hosts running Netty-based services for retrospective hunting.
  • Alert on resolver cache entries that map effective top-level domains or registry suffixes to non-root authoritative servers.
  • Monitor application logs for resolver-related exceptions or unexpected upstream endpoint changes following DNS lookups.

How to Mitigate CVE-2026-47691

Immediate Actions Required

  • Upgrade Netty to 4.1.135.Final or 4.2.15.Final in all applications, container images, and shaded dependencies.
  • Rebuild and redeploy downstream artifacts that bundle Netty, including frameworks such as gRPC, Vert.x, Reactor Netty, and Spring WebFlux runtimes.
  • Flush the authoritativeDnsServerCache and restart affected services after upgrading to evict any previously poisoned entries.

Patch Information

The Netty maintainers addressed the issue by enforcing proper bailiwick validation on NS records prior to caching. Fixed releases are available at GitHub Release netty-4.1.135.Final and GitHub Release netty-4.2.15.Final. The vendor advisory is published at GitHub Security Advisory GHSA-5pvg-856g-cp85.

Workarounds

  • Route Netty DNS lookups through a trusted recursive resolver that performs strict bailiwick enforcement and DNSSEC validation where possible.
  • Restrict outbound DNS so Netty-based services can only query controlled internal resolvers rather than arbitrary upstream servers.
  • Where feasible, substitute the default DnsNameResolver with the JDK resolver until patched Netty artifacts are deployed.
bash
# Maven dependency override example
mvn dependency:tree -Dincludes=io.netty:netty-resolver-dns
mvn versions:use-dep-version -Dincludes=io.netty:netty-resolver-dns -DdepVersion=4.1.135.Final -DforceVersion=true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne