Netty: 12 Vulnerabilities Disclosed Together, Many High-Severity DoS
Key findings • Twelve Netty vulnerabilities disclosed together on June 8, 2026. • Multiple high-severity DoS vulnerabilities related to unbounded resource consumption. • Critical DNS cach…
Key findings
- Twelve Netty vulnerabilities disclosed together on June 8, 2026.
- Multiple high-severity DoS vulnerabilities related to unbounded resource consumption.
- Critical DNS cache poisoning flaws due to insufficient validation and predictable PRNG.
- HTTP/2, HTTP/3, SCTP, and QUIC protocols affected by various issues.
- Issues found in DNS resolvers, Redis decoders, and IP filtering mechanisms.
On June 8, 2026, a cluster of twelve vulnerabilities affecting the Netty Java network application framework was disclosed. The batch, disclosed within a four-hour window, includes several high-severity issues primarily related to denial-of-service (DoS) and resource exhaustion, alongside critical DNS cache poisoning flaws.
Several vulnerabilities leverage weaknesses in Netty's DNS resolution capabilities. CVE-2026-47691 and CVE-2026-45674 highlight insufficient bailiwick validation for NS and CNAME records, respectively, which could allow attackers to poison DNS caches for parent domains. Further exacerbating DNS security, CVE-2026-45673 points to a predictable pseudo-random number generator (PRNG) and a default static source port in the DNS resolver, reducing query entropy and enabling DNS cache poisoning attacks.
A significant portion of the disclosed vulnerabilities are related to denial-of-service conditions, often stemming from unbounded resource consumption. CVE-2026-44892 describes an unbounded header size in the default configuration of the HTTP/3 codec, allowing for DoS attacks. Similarly, CVE-2026-44890 details unbounded direct memory consumption in the RedisDecoder due to crafted payloads, and CVE-2026-44250 highlights memory exhaustion in the RedisArrayAggregator caused by deeply nested arrays. Additionally, CVE-2026-45416 notes that the SNI handler can pre-allocate up to 16 MiB based on just nine attacker-controlled bytes, potentially leading to excessive memory allocation.
Other critical issues include CVE-2026-46340, where SCTP reassembly nests buffers without proper bounds, leading to resource exhaustion. CVE-2026-47244 indicates that the advertised MAX_CONCURRENT_STREAMS in HTTP/2 are not enforced, potentially allowing for DoS. CVE-2026-44894 states that Netty's default QUIC token handler accepts any client-supplied token, which could have security implications. Lastly, CVE-2026-45536 describes a Unix-socket fd receive leak when a peer sends two file descriptors at once, and CVE-2026-44249 points to an IPv6 subnet filter bypass due to incorrect comparator masking.
While specific patch details for each individual CVE were not detailed in the disclosure, the sheer volume and severity of these vulnerabilities underscore the importance of updating Netty to the latest available versions. Users are advised to consult the official Netty security advisories and release notes for specific version information and patching guidance. The coordinated disclosure of these issues suggests a thorough review of Netty's network handling and configuration defaults is warranted.
This batch of vulnerabilities, particularly the concentration of high-severity DoS and DNS cache poisoning flaws, highlights critical areas for developers using Netty to scrutinize. The issues related to default configurations and unbounded resource consumption are especially concerning, as they may affect deployments that have not explicitly hardened these settings. Users should prioritize applying patches and reviewing their configurations to mitigate these risks.