Netty's DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).
In io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName.
This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the handleWithAdditional method caches the associated A records from the ADDITIONAL section directly into the authoritativeDnsServerCache under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk..
The io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache method only prevents caching if the record is for the root zone (dots == 1).
DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.
| Score | Percentile |
|---|---|
| 0.29% | 21.01% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-5pvg-856g-cp85 ↗ |
| CVE | CVE-2026-47691 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | io.netty:netty-resolver-dns | >= 4.2.0.Final, <= 4.2.14.Final | 4.2.15.Final | — |
| maven | io.netty:netty-resolver-dns | <= 4.1.134.Final | 4.1.135.Final | — |