CVE-2026-42579
CWE-20: Improper Input Validation vulnerability in netty-codec-dns (Maven)

CWE-20: Improper Input Validation No known exploit

What is CVE-2026-42579 About?

This vulnerability in Netty's DNS codec allows an attacker to bypass critical RFC 1035 domain name validations during both encoding and decoding. It can lead to DNS cache poisoning, domain validation bypass, or denial of service by triggering excessive memory allocation. Exploitation is relatively easy as it often involves crafting malicious DNS responses or providing specially formed hostnames.

Affected Software

  • io.netty:netty-codec-dns
    • >=4.2.0.Alpha1, <4.2.13.Final
    • <4.1.133.Final

Technical Details

Netty's DnsCodecUtil component, specifically the encodeDomainName() and decodeDomainName() methods, fails to enforce RFC 1035 constraints for DNS domain names. On the encoder side, it does not validate for null bytes, per-label length (max 63 bytes), or total domain name length (max 255 bytes). This allows for null byte injection, leading to differential interpretation of domain names by various DNS implementations, enabling DNS cache poisoning and domain validation bypass. Moreover, labels exceeding 63 bytes are encoded with length bytes that can be misinterpreted as compression pointers by compliant DNS parsers, causing parser confusion. The encoder can also silently truncate domain names when encountering empty labels (e.g., a..b.com becomes a.). On the decoder side, it accepts labels of any length and allows StringBuilder to grow unbounded when processing attacker-controlled DNS responses, leading to excessive memory allocation and potential denial of service. The decoder lacks checks for label length (> 63) and total domain name length (> 255).

What is the Impact of CVE-2026-42579?

Successful exploitation may allow attackers to poison DNS caches, bypass domain validation mechanisms, or cause denial of service through uncontrolled resource consumption.

What is the Exploitability of CVE-2026-42579?

Exploitation can be initiated remotely, either by sending crafted DNS responses to a Netty application using the codec-dns or resolver-dns module (inbound/decoder side) or by providing user-influenced, malformed hostnames to a Netty application constructing DNS queries (outbound/encoder side). No authentication is strictly required, although access to influence hostnames or DNS responses is a prerequisite. The complexity is low to medium, as it primarily involves constructing specific byte sequences or strings that violate RFC 1035. Privilege requirements are minimal, as the attack targets the application's handling of DNS data directly. Special conditions include the Netty application actively engaging in DNS resolution or hostname processing, and the presence of a malicious DNS server or user input. Risk factors are increased when Netty applications are exposed to untrusted external DNS infrastructure or process user-controlled input for DNS queries.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-42579?

Available Upgrade Options

  • io.netty:netty-codec-dns
    • <4.1.133.Final → Upgrade to 4.1.133.Final
  • io.netty:netty-codec-dns
    • >=4.2.0.Alpha1, <4.2.13.Final → Upgrade to 4.2.13.Final

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-42579?

Similar Vulnerabilities: CVE-2020-13778 , CVE-2015-7547 , CVE-2016-2776 , CVE-2021-25746 , CVE-2017-9008

All Rights reserved 2025
Privacy Policy