External risk intelligence

Netty DNS Validation Flaw Allows Spoofed Responses

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-45674

A vulnerability in Netty's DNS resolution could allow attackers to intercept network traffic. This issue arises from insufficient validation of CNAME records in DNS responses, potentially enabling the redirection of communication to malicious servers. Given Netty's role as a network application framework, this flaw war

3Halo Surface Signal

Netty

before 4.1.1354.2.0 to before 4.2.15

External exposure likelihood

Halo Surface Signal score for CVE-2026-45674

Netty is a foundational framework for many applications, including internal services and public-facing infrastructure. This vulnerability exists in the DnsResolveContext component. Because exploitation depends on whether an application utilizes this specific DNS resolution logic, exposure varies significantly based on individual implementation and network configuration.

PCI scan relevance

PCI Relevance for CVE-2026-45674

Yes

CVE-2026-45674 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE affects Netty and could allow an attacker to bypass authentication due to improper validation of DNS responses. This is a critical vulnerability likely to cause an ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Netty, a network application framework, and could allow unauthorized access and modification of data due to improper validation of DNS responses. The main concern is confirming relevance and exposure within our environment.

DNS validation flaw in a network framework.
Affects systems using Netty for network applications.
Confirm if Netty is used and check its DNS resolution.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted DNS responses. This could happen if a Netty-based application resolves DNS names, allowing an attacker to manipulate DNS records that are then processed by the vulnerable component. If successful, this could lead to the application processing malicious data originating from an unexpected source.

Network access required.
Malicious DNS responses trigger it.
Compromises application integrity.

Live Threat

Current exploitation, exposure, and threat context

When Netty applications incorrectly process CNAME DNS records, it could affect the origin of network requests. This vulnerability allows an attacker to potentially manipulate DNS responses, leading to requests being misdirected.

Network request origin
Malicious DNS responses
Service misdirection

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability in the Netty framework, as it affects network application development. The first practical step is to identify all instances of the affected Netty versions, determine their exposure and business criticality, and then assign ownership for remediation planning.

Identify affected Netty deployments.
Verify network exposure and criticality.
Plan remediation based on risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Netty used for?

Netty is a foundational Java framework used by developers to build high-performance network applications. It simplifies complex tasks like creating protocol servers and clients, handling data transmission, and managing asynchronous connections. Many widely used web servers, messaging systems, and microservices rely on Netty to facilitate reliable network communication.

How does this CVE-2026-45674 vulnerability work?

This issue is categorized under CWE-345, which involves a failure to verify the authenticity of data. In this case, the Netty component responsible for DNS resolution does not properly check the origin of CNAME records in DNS responses. This means the system might accept redirected DNS information from unauthorized sources, potentially leading the application to interact with unintended or malicious network destinations.

Do I need to worry about any DNS response?

Not every DNS interaction triggers this flaw. The vulnerability specifically relates to how the framework validates the 'bailiwick,' or authorized domain scope, of CNAME records. If your application logic does not use Netty's affected DnsResolveContext component to process DNS queries, or if you are not performing operations that rely on CNAME resolution, the specific preconditions for this issue are not met.

Is my application at risk if it is not internet-facing?

According to Halo Surface Signal, risk depends on your specific implementation. While internet-facing infrastructure is often a primary concern, Netty is frequently used in internal services as well. If your internal applications use the affected DNS resolution logic, they could still be impacted if an attacker gains a foothold within your network and influences DNS traffic.

When should I update my Netty version?

You should prioritize moving to versions 4.1.135.Final or 4.2.15.Final as soon as your development cycle allows. The first step is to audit your software dependencies to identify if your projects utilize the affected range. Once identified, updating the library is the recommended way to apply the vendor-provided security patches that resolve the DNS validation logic error.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.