Summary Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Details In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section o…
| CVE ID | CVE-2026-45674 |
| Vendor | maven |
| Affected Product | io.netty:netty-resolver-dns |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds. According to https://datatracker.ietf.org/doc/html/rfc5452#section-6 `` Care must be taken to only accept data if it is known that the originator is authoritative for the QNAME or a parent of the QNAME. One very simple way to achieve this is to only accept data if it is part of the domain for which the query was intended. ``
DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.