Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Netty DNS Handler Fails to Validate Domain Names
DEBIAN-CVE-2026-42579
Summary
Netty's DNS handler in older versions does not properly check domain names, which can allow attackers to send malicious data. This could lead to security issues if an attacker is able to control the domain names used in your system. To fix this, update to Netty versions 4.2.13.Final or 4.1.133.Final.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | netty | All versions |
| Debian:12 | debian | netty | All versions |
| Debian:13 | debian | netty | All versions |
| Debian:14 | debian | netty | All versions |
Original title
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either enco...
Original description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
osv CVSS3.1
7.5
- https://security-tracker.debian.org/tracker/CVE-2026-42579 Vendor Advisory
Published: 13 May 2026 · Updated: 19 May 2026 · First seen: 14 May 2026