Network Application Framework Vulnerability in Netty by Netty Project
CVE-2026-42579

7.5HIGH

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42579?

The Netty framework's DNS codec lacks proper enforcement of RFC 1035 domain name constraints, enabling potential attacks through both encoding and decoding processes. Malicious DNS responses can exploit the decoding mechanism, while user-influenced hostnames can compromise the encoding process. This vulnerability highlights critical risks in network applications that utilize Netty for DNS operations. It's essential for users to upgrade to versions 4.2.13.Final or 4.1.133.Final, which contain necessary patches to mitigate these security threats.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

References

https://github.com/netty/netty/security/advisories/GHSA-c...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42579 Data

JSON