Netty DNS Codec Domain Constraint Bypass (<=4.2.13, <=4.1.133)
CVE-2026-42579 Published on May 13, 2026
Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Vulnerability Analysis
CVE-2026-42579 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-42579 has been classified to as a Resource Exhaustion vulnerability or weakness.
What is a Poison Null Byte Vulnerability?
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
CVE-2026-42579 has been classified to as a Poison Null Byte vulnerability or weakness.
Products Associated with CVE-2026-42579
Want to know whenever a new CVE is published for Netty? stack.watch will email you.
Affected Versions
netty:- Version >= 4.2.0.Alpha1, < 4.2.13.Final is affected.
- Version < 4.1.133.Final is affected.