High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 18, 2026
CVE-2026-42579
CVE-2026-42579
Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-codec-dnsMaven | >= 4.2.0.Alpha1, < 4.2.13.Final | 4.2.13.Final |
io.netty:netty-codec-dnsMaven | < 4.1.133.Final | 4.1.133.Final |
Affected products
173- osv-coords172 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-4.2pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/apache-pulsar-fips-4.2pkg:apk/chainguard/apicurio-registrypkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-8.9pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/chainguard/camunda-zeebe-8.9pkg:apk/chainguard/commercial-elasticsearch-8.19pkg:apk/chainguard/commercial-elasticsearch-9.3pkg:apk/chainguard/commercial-elasticsearch-9.4pkg:apk/chainguard/druidpkg:apk/chainguard/elasticsearch-8.19pkg:apk/chainguard/elasticsearch-8.19-iamguardedpkg:apk/chainguard/elasticsearch-9.1pkg:apk/chainguard/elasticsearch-9.1-iamguardedpkg:apk/chainguard/elasticsearch-9.2pkg:apk/chainguard/elasticsearch-9.2-iamguardedpkg:apk/chainguard/elasticsearch-9.3pkg:apk/chainguard/elasticsearch-9.3-iamguardedpkg:apk/chainguard/elasticsearch-9.4pkg:apk/chainguard/elasticsearch-9.4-iamguardedpkg:apk/chainguard/elasticsearch-fips-8.19pkg:apk/chainguard/elasticsearch-fips-9.1pkg:apk/chainguard/elasticsearch-fips-9.2pkg:apk/chainguard/elasticsearch-fips-9.3pkg:apk/chainguard/elasticsearch-fips-9.4pkg:apk/chainguard/flywaypkg:apk/chainguard/flyway-fipspkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/infinispan-15.0pkg:apk/chainguard/infinispan-15.1pkg:apk/chainguard/infinispan-15.2pkg:apk/chainguard/infinispan-16.0pkg:apk/chainguard/infinispan-16.1pkg:apk/chainguard/kafbat-uipkg:apk/chainguard/kafbat-ui-fipspkg:apk/chainguard/kafka-bridgepkg:apk/chainguard/kafka-bridge-fipspkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-2026.1pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/chainguard/kayenta-fips-2026.0pkg:apk/chainguard/kayenta-fips-2026.1pkg:apk/chainguard/keycloak-26.6pkg:apk/chainguard/keycloak-26.6-iamguarded-compatpkg:apk/chainguard/keycloak-26.6-operatorpkg:apk/chainguard/keycloak-fips-26.6pkg:apk/chainguard/keycloak-fips-26.6-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.6-operatorpkg:apk/chainguard/knative-kafka-broker-1.20-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.20-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.21-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.21-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.22-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.22-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.20-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.20-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.21-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.21-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.22-dispatcher-loompkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/opensearch-2-repository-azurepkg:apk/chainguard/opensearch-3-repository-azurepkg:apk/chainguard/opensearch-fips-3-repository-azurepkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/s3proxypkg:apk/chainguard/s3proxy-fipspkg:apk/chainguard/seata-serverpkg:apk/chainguard/spark-4.0-scala-2.13pkg:apk/chainguard/spark-4.1-scala-2.13pkg:apk/chainguard/spark-fips-4.1-scala-2.13pkg:apk/chainguard/spark-kubernetes-operatorpkg:apk/chainguard/spark-kubernetes-operator-fipspkg:apk/chainguard/strimzi-kafka-operator-cluster-operatorpkg:apk/chainguard/strimzi-kafka-operator-fips-cluster-operatorpkg:apk/chainguard/strimzi-kafka-operator-fips-kafka-agentpkg:apk/chainguard/strimzi-kafka-operator-fips-kafka-initpkg:apk/chainguard/strimzi-kafka-operator-fips-kafka-thirdparty-libs-ccpkg:apk/chainguard/strimzi-kafka-operator-fips-topic-operatorpkg:apk/chainguard/strimzi-kafka-operator-fips-tracing-agentpkg:apk/chainguard/strimzi-kafka-operator-fips-user-operatorpkg:apk/chainguard/strimzi-kafka-operator-kafka-agentpkg:apk/chainguard/strimzi-kafka-operator-kafka-initpkg:apk/chainguard/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/chainguard/strimzi-kafka-operator-topic-operatorpkg:apk/chainguard/strimzi-kafka-operator-tracing-agentpkg:apk/chainguard/strimzi-kafka-operator-user-operatorpkg:apk/chainguard/tezpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/zipkinpkg:apk/chainguard/zipkin-slimpkg:apk/wolfi/akhqpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-pulsar-4.2pkg:apk/wolfi/apicurio-registrypkg:apk/wolfi/druidpkg:apk/wolfi/flywaypkg:apk/wolfi/infinispan-15.2pkg:apk/wolfi/infinispan-16.0pkg:apk/wolfi/infinispan-16.1pkg:apk/wolfi/keycloak-26.6pkg:apk/wolfi/keycloak-26.6-iamguarded-compatpkg:apk/wolfi/keycloak-26.6-operatorpkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/opensearch-2-repository-azurepkg:apk/wolfi/opensearch-3-repository-azurepkg:apk/wolfi/spark-4.0-scala-2.13pkg:apk/wolfi/spark-4.1-scala-2.13pkg:apk/wolfi/strimzi-kafka-operator-cluster-operatorpkg:apk/wolfi/strimzi-kafka-operator-kafka-agentpkg:apk/wolfi/strimzi-kafka-operator-kafka-initpkg:apk/wolfi/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/wolfi/strimzi-kafka-operator-topic-operatorpkg:apk/wolfi/strimzi-kafka-operator-tracing-agentpkg:apk/wolfi/strimzi-kafka-operator-user-operatorpkg:apk/wolfi/tezpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/zipkinpkg:apk/wolfi/zipkin-slimpkg:maven/io.netty/netty-codec-dnspkg:rpm/opensuse/netty&distro=openSUSE%20Tumbleweedpkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6
< 0.27.1-r1+ 171 more
- (no CPE)range: < 0.27.1-r1
- (no CPE)range: < 2.17.0-r13
- (no CPE)range: < 2.17.0-r13
- (no CPE)range: < 2.9.0-r6
- (no CPE)range: < 4.0.10-r1
- (no CPE)range: < 4.2.1-r2
- (no CPE)range: < 4.0.9-r16
- (no CPE)range: < 4.2.1-r3
- (no CPE)range: < 3.2.1-r5
- (no CPE)range: < 8.8.24-r1
- (no CPE)range: < 8.9.5-r2
- (no CPE)range: < 8.7.29-r1
- (no CPE)range: < 8.8.24-r1
- (no CPE)range: < 8.9.5-r2
- (no CPE)range: < 8.19.16-r0
- (no CPE)range: < 9.3.5-r0
- (no CPE)range: < 9.4.1-r0
- (no CPE)range: < 37.0.0-r3
- (no CPE)range: < 8.19.15-r1
- (no CPE)range: < 8.19.15-r1
- (no CPE)range: < 9.1.10-r5
- (no CPE)range: < 9.1.10-r5
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.4.1-r0
- (no CPE)range: < 9.4.1-r0
- (no CPE)range: < 8.19.15-r1
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.2.8-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.4.1-r0
- (no CPE)range: < 12.6.0-r0
- (no CPE)range: < 12.6.0-r0
- (no CPE)range: < 2.7.0-r15
- (no CPE)range: < 2.7.0-r15
- (no CPE)range: < 2.7.0-r15
- (no CPE)range: < 2.7.0-r15
- (no CPE)range: < 2.7.0-r15
- (no CPE)range: < 15.0.22-r7
- (no CPE)range: < 15.1.7-r15
- (no CPE)range: < 15.2.6-r15
- (no CPE)range: < 16.0.11-r2
- (no CPE)range: < 16.1.3-r2
- (no CPE)range: < 1.4.2-r10
- (no CPE)range: < 1.4.2-r9
- (no CPE)range: < 0.33.1-r16
- (no CPE)range: < 0.33.1-r11
- (no CPE)range: < 2025.4.3-r8
- (no CPE)range: < 2026.0.2-r8
- (no CPE)range: < 2026.1.0-r1
- (no CPE)range: < 2025.4.3-r9
- (no CPE)range: < 2026.0.2-r9
- (no CPE)range: < 2026.1.0-r1
- (no CPE)range: < 26.6.1-r2
- (no CPE)range: < 26.6.1-r2
- (no CPE)range: < 26.6.1-r2
- (no CPE)range: < 26.6.1-r4
- (no CPE)range: < 26.6.1-r3
- (no CPE)range: < 26.6.1-r4
- (no CPE)range: < 1.20.3-r6
- (no CPE)range: < 1.20.3-r6
- (no CPE)range: < 1.21.3-r2
- (no CPE)range: < 1.21.3-r2
- (no CPE)range: < 1.22.0-r2
- (no CPE)range: < 1.22.0-r2
- (no CPE)range: < 1.20.3-r6
- (no CPE)range: < 1.20.3-r6
- (no CPE)range: < 1.21.3-r4
- (no CPE)range: < 1.21.3-r4
- (no CPE)range: < 1.22.0-r2
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.7.0-r0
- (no CPE)range: < 1.5.0-r4
- (no CPE)range: < 1.5.0-r3
- (no CPE)range: < 3.1.0-r2
- (no CPE)range: < 3.1.0-r2
- (no CPE)range: < 2.6.0-r9
- (no CPE)range: < 4.0.2-r12
- (no CPE)range: < 4.1.2-r1
- (no CPE)range: < 4.1.1-r14
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 1.0.0-r0
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.10.5-r12
- (no CPE)range: < 4.3.1.1-r8
- (no CPE)range: < 4.3.1.1-r8
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 39.0.1-r8
- (no CPE)range: < 39.0.1-r8
- (no CPE)range: < 3.6.1-r6
- (no CPE)range: < 3.6.1-r6
- (no CPE)range: < 0.27.1-r1
- (no CPE)range: < 2.9.0-r6
- (no CPE)range: < 4.2.1-r2
- (no CPE)range: < 3.2.1-r5
- (no CPE)range: < 37.0.0-r3
- (no CPE)range: < 12.6.0-r0
- (no CPE)range: < 15.2.6-r15
- (no CPE)range: < 16.0.11-r2
- (no CPE)range: < 16.1.3-r2
- (no CPE)range: < 26.6.1-r2
- (no CPE)range: < 26.6.1-r2
- (no CPE)range: < 26.6.1-r2
- (no CPE)range: < 0.1.117-r1
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 4.0.2-r12
- (no CPE)range: < 4.1.2-r1
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.51.0-r26
- (no CPE)range: < 0.10.5-r12
- (no CPE)range: < 4.3.1.1-r8
- (no CPE)range: < 4.3.1.1-r8
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 39.0.1-r8
- (no CPE)range: < 39.0.1-r8
- (no CPE)range: < 3.6.1-r6
- (no CPE)range: < 3.6.1-r6
- (no CPE)range: >= 4.2.0.Alpha1, < 4.2.13.Final
- (no CPE)range: < 4.1.133-1.1
- (no CPE)range: < 4.1.133-150200.4.46.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
- (no CPE)range: < 2.0.77-150200.3.39.1
Patches
Vulnerability mechanics
References
5- github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fmnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-cm33-6792-r9fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42579ghsaADVISORY
- tools.ietf.org/html/rfc1035ghsaWEB
- tools.ietf.org/html/rfc1035ghsaWEB
News mentions
1- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and MoreThe Hacker News · Jun 22, 2026