Main Vulnerability Database Vulnerabilities #VU130208

Null Byte Interaction Error (Poison Null Byte) in Netty - CVE-2026-42579

Published: May 5, 2026

Vulnerability identifier: #VU130208

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-42579

CWE-ID: CWE-626

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Netty

Software vendor:
Netty project

Description

The vulnerability allows a remote attacker to bypass domain validation and poison DNS caches.

The vulnerability exists due to improper input validation in io.netty.handler.codec.dns.DnsCodecUtil encodeDomainName() when encoding user-influenced domain names. A remote attacker can supply a crafted domain name containing null bytes, overlength labels, or empty labels to bypass domain validation and poison DNS caches.

The issue affects the encoder path and relies on applications using user-influenced hostnames to construct DNS queries.

Remediation

Install security update from vendor's website.

External links

https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm

Null Byte Interaction Error (Poison Null Byte) in Netty - CVE-2026-42579

Description

Remediation

External links

Please verify you're human