CVE-2026-42579 netty CVE debrief

Who should care

Organizations running Java applications with Netty dependencies, particularly those handling DNS operations or accepting user-provided hostnames. This includes microservices, proxy servers, load balancers, and any infrastructure using Netty for network I/O. Cloud-native deployments and containerized applications with Netty in their dependency chain should assess exposure promptly.

Technical summary

The vulnerability exists in Netty's DNS codec implementation which does not validate domain name length limits (255 octets for uncompressed names, 63 octets per label) and character constraints defined in RFC 1035. This affects both encoding paths (when applications supply hostnames for DNS queries) and decoding paths (when processing DNS responses). The bidirectional nature means attackers can exploit either client-side applications processing untrusted DNS responses or server-side applications accepting user-controlled hostnames. The fix in 4.1.133.Final and 4.2.13.Final adds proper RFC 1035 constraint enforcement. Applications should prioritize upgrading given the network-exploitable nature and lack of required authentication.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Netty to version 4.1.133.Final or 4.2.13.Final or later
• Review applications using Netty's DNS codec for unexpected DNS response handling
• Validate and sanitize hostnames before passing to Netty DNS encoding operations
• Monitor for anomalous DNS traffic patterns in applications using affected Netty versions
• Assess dependency trees to identify transitive Netty usage requiring updates

Evidence notes

CVE published 2026-05-13; modified 2026-05-18. Vendor advisory confirms affected versions and fix availability. CPE criteria specify version ranges: all versions below 4.1.133.Final, and 4.2.0 through 4.2.12.Final.

Official resources