External risk intelligence

Netty DNS Cache Poisoning Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-47691

Netty, a network application framework, contains a DNS cache poisoning vulnerability where an attacker controlling a subdomain's name server can manipulate DNS records for parent domains. This could lead to future DNS resolutions being directed to attacker-controlled infrastructure.

3Halo Surface Signal

Netty

before 4.1.1354.2.0 to before 4.2.15

External exposure likelihood

Halo Surface Signal score for CVE-2026-47691

Netty is a framework used by developers to build various protocol servers and clients. While it can be embedded in internet-facing applications, it is a library rather than a standalone appliance or service, meaning its exposure is entirely dependent on how and where a developer chooses to implement it within their specific network architecture.

PCI scan relevance

PCI Relevance for CVE-2026-47691

Yes

CVE-2026-47691 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A DNS cache poisoning vulnerability in Netty could allow redirection of network traffic. This impacts network infrastructure and is relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a vulnerability in Netty, a widely used framework for building network applications. The issue could allow an attacker to manipulate DNS responses, potentially redirecting traffic or impacting the integrity of network lookups. The main concern is confirming relevance and exposure within our environment.

Attackers could disrupt DNS lookups.
Protects against a specific type of network data manipulation.
Confirm if Netty is used and assess potential impact.

Attack Path

How an attacker could exploit the issue

An attacker who controls a name server for a specific subdomain can exploit this vulnerability by manipulating DNS records. This manipulation allows them to poison the DNS cache of parent domains, leading to future resolutions being directed to malicious servers. This can ultimately result in significant data compromise and integrity loss.

Attacker controls a name server.
Vulnerable `DnsResolveContext` method.
Cache poisoning, leading to data compromise.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker controlling an authoritative name server for a subdomain could potentially poison the DNS cache for parent domains. This could lead to future DNS resolutions for the parent domain being directed to attacker-controlled infrastructure.

DNS cache poisoning for parent domains.
Attacker controls authoritative subdomain name server.
Leads to redirection of parent domain resolutions.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for Netty deployments, likely application owners and platform teams, must first identify all instances of the affected framework, confirm their network exposure and business criticality, and then assign ownership for remediation planning. This initial assessment will determine the urgency and approach for addressing the DNS cache poisoning vulnerability.

Identify accountable owners for Netty instances.
Verify network exposure and business criticality.
Plan remediation based on identified risk.

Frequently asked questions

What is Netty and why is it used?

Netty is a foundational software framework that developers use to build high-performance network applications. It acts as a set of building blocks for creating custom protocol servers and clients, handling the complex networking details so developers can focus on application logic. It is widely embedded within many Java-based tools, microservices, and communication platforms to manage how data moves across networks.

How does CVE-2026-47691 impact DNS security?

This vulnerability involves a weakness in how Netty validates DNS records, formally classified as CWE-345 (Insufficient Verification of Data Authenticity). Because the software fails to correctly check the 'bailiwick'—a rule that ensures a server is only trusted for its own domain—it may accept malicious DNS data. This allows an attacker to inject fraudulent information into the system's DNS cache, tricking the application into trusting incorrect data for parent domains.

Does this DNS flaw trigger automatically?

No, it requires a specific condition. An attacker must already control an authoritative name server for a subdomain to attempt this cache poisoning. The bug is specifically triggered when Netty processes responses from that attacker-controlled server. If the DNS resolutions do not involve a malicious or compromised authoritative server, the conditions for this specific cache poisoning path are not met.

Is my application at risk from this vulnerability?

According to Halo Surface Signal, Netty is a library, not a standalone appliance, so your risk depends on how your developers have implemented it. If Netty is used within an internet-facing application that performs DNS lookups, the potential for exposure is higher. You should assess whether your internal software configurations rely on Netty's DNS resolution features and if those components are reachable from untrusted network segments.

What are the first steps to address this issue?

Your priority is to identify where Netty is being used across your environment. Once you locate the affected instances, verify their network exposure and determine which applications depend on them. After mapping your inventory, coordinate with the responsible application teams to update Netty to versions 4.1.135.Final or 4.2.15.Final, which include the necessary fixes for this vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.