CVE-2026-47691: Netty has Insufficient Bailiwick Validation for NS Records

June 8, 2026 (updated June 12, 2026)

Netty’s DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).

References

github.com/advisories/GHSA-5pvg-856g-cp85
github.com/netty/netty/releases/tag/netty-4.1.135.Final
github.com/netty/netty/releases/tag/netty-4.2.15.Final
github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85
nvd.nist.gov/vuln/detail/CVE-2026-47691

Code Behaviors & Features

Detect and mitigate CVE-2026-47691 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →