PatchSiren cyber security CVE debrief
CVE-2026-45673 netty CVE debrief
CVE-2026-45673 is a DNS Cache Poisoning vulnerability in Netty, a network application framework. The vulnerability has a CVSS score of 6.8 and was published on 2026-06-12T15:16:27.417Z. The vulnerability exists in Netty's DNS resolver, which uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). The vulnerability was patched in versions 4.1.135.Final and 4.2.15.Final.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final should update to a patched version to prevent DNS Cache Poisoning attacks.
Technical summary
Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack).
Defensive priority
High
Recommended defensive actions
- Update to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Use a secure PRNG for generating DNS transaction IDs.
- Use a random UDP source port for DNS queries.
Evidence notes
The vulnerability was patched in versions 4.1.135.Final and 4.2.15.Final. [ref-4](https://github.com/netty/netty/releases/tag/netty-4.1.135.Final), [ref-5](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final), [ref-6](https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78)
Official resources
CVE-2026-45673 was published on 2026-06-12T15:16:27.417Z and modified on 2026-06-12T15:55:06.377Z.