Main Vulnerability Database Vulnerabilities #VU133451

Generation of Predictable Numbers or Identifiers in Netty - CVE-2026-45673

Published: June 8, 2026

Vulnerability identifier: #VU133451

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-45673

CWE-ID: CWE-340

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to poison the DNS cache.

The vulnerability exists due to generation of predictable numbers or identifiers in the Netty DNS resolver when generating DNS transaction IDs and using the default static UDP source port for DNS queries. A remote attacker can spoof DNS responses to poison the DNS cache.

Successful exploitation may cause downstream applications to connect to malicious IP addresses, enabling traffic interception or machine-in-the-middle attacks.

How to mitigate CVE-2026-45673

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78

Generation of Predictable Numbers or Identifiers in Netty - CVE-2026-45673

Detailed vulnerability description

How to mitigate CVE-2026-45673

Sources

Please verify you're human