Main Vulnerability Database Vulnerabilities #VU133444

Insufficient verification of data authenticity in Netty - CVE-2026-47691

Published: June 8, 2026

Vulnerability identifier: #VU133444

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-47691

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to poison the DNS cache.

The vulnerability exists due to insufficient verification of data authenticity in the DnsResolveContext.AuthoritativeNameServerList handling of NS records when processing DNS responses containing NS records in the AUTHORITY section and A records in the ADDITIONAL section. A remote attacker can provide crafted DNS records to poison the DNS cache.

Exploitation requires control of an authoritative name server for a subdomain, and the poisoned cache can affect future resolutions under the parent domain.

How to mitigate CVE-2026-47691

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85

Insufficient verification of data authenticity in Netty - CVE-2026-47691

Detailed vulnerability description

How to mitigate CVE-2026-47691

Sources

Please verify you're human