CVE-2026-45674: Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records

June 8, 2026 (updated June 12, 2026)

Netty’s DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.

References

github.com/advisories/GHSA-676x-f7gg-47vc
github.com/netty/netty/releases/tag/netty-4.1.135.Final
github.com/netty/netty/releases/tag/netty-4.2.15.Final
github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
nvd.nist.gov/vuln/detail/CVE-2026-45674

Code Behaviors & Features

Detect and mitigate CVE-2026-45674 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →