CVE-2026-42579

About vulnerability

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty’s DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected product:

Apache Kafka , Apache Spark , Eclipse Jetty , Netty , Spring , artemis , async-http-client , avro , azure-sdk-for-java , bolt-connection-java , cassandra-java-driver , couchbase-jvm-clients , cxf , elasticsearch , grpc-netty , infinispan , java-driver , lettuce , logging-flume , logging-log4j2 , neo4j-java-driver , netty , rsocket-java , tika , wildfly , zookeeper

Affected packages:

cxf-tools-javato @ 3.5.11 (+5688 more)

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty’s DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.