CVE-2026-45674
HIGH 8.7Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severe if exploited (CVSS 8.7), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 12th percentile
Impact if exploited
8.7CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Netty Red Hat Build Of Apache Camel 3.33 For Quarkus 3.33.2.Sp1 Red Hat Build Of Quarkus 3.27.4.Sp1 Red Hat Build Of Quarkus 3.33.2.Sp1 Cryostat 4 Openshift Serverless Red Hat Build Of Apache Camel Hawtio 4 Red Hat Build Of Apache Camel 4 For Quarkus 3
Weakness (CWE)
- CWE-345
- CWE-346
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
References
Advisories
Technical & other
- https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
- https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
- https://access.redhat.com/security/cve/CVE-2026-45674
- https://bugzilla.redhat.com/show_bug.cgi?id=2488400
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45674.json