cbcvebase.
CVE-2026-42579
published 2026-05-13

CVE-2026-42579: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035…

critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
devspacesmulticluster-redirector-rhel9
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
devspacesserver-rhel9
nettynetty< 4.1.133.Final4.1.133.Final
nettynetty< 4.1.1334.1.133
nettynetty
nettynetty>= 4.2.0 < 4.2.134.2.13
openshift-serverless-1kn-ekb-dispatcher-rhel9
openshift-serverless-1kn-ekb-receiver-rhel9
openshift-serverless-1kn-eventing-integrations-aws-ddb-streams-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sns-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-source-rhel9
openshift-serverless-1kn-eventing-integrations-log-sink-rhel9
openshift-serverless-1kn-eventing-integrations-timer-source-rhel9
rhbk-openshift-rhel9rhbk-openshift-rhel9
rhbk-rhel9-operatorrhbk-rhel9-operator
rhbkkeycloak-rhel9
rhbkkeycloak-rhel9-operator
rhoaiodh-spark-operator-rhel9
rhoaiodh-th06-cpu-torch210-py312-rhel9
rhoaiodh-th06-cpu-torch291-py312-rhel9