PatchSiren cyber security CVE debrief
CVE-2026-47691 netty CVE debrief
CVE-2026-47691 is a HIGH severity vulnerability in Netty, a network application framework, that allows for DNS Cache Poisoning due to insufficient validation of NS records in the `DnsResolveContext`. This vulnerability affects Netty versions prior to 4.1.135.Final and 4.2.15.Final. An attacker controlling an authoritative name server for a subdomain can exploit this vulnerability to poison the cache for parent domains.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The `DnsResolveContext` in Netty insufficiently validates the bailiwick of NS records, allowing an attacker to poison the cache for parent domains. This is possible because the `add` method in `AuthoritativeNameServerList` accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key, bypassing standard bailiwick rules.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Implement proper validation of NS records in the `DnsResolveContext`.
Evidence notes
CVE-2026-47691 has a CVSS score of 8.7 and is classified as HIGH severity. The vulnerability was published on 2026-06-12T16:16:30.310Z and modified on 2026-06-12T16:18:27.287Z.
Official resources
CVE-2026-47691 was published on 2026-06-12T16:16:30.310Z and modified on 2026-06-12T16:18:27.287Z.