CVE Catalog

CVE-2026-45673

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final, used a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning.

Risk Assessment

Organizations may be vulnerable to DNS Cache Poisoning attacks, which can lead to traffic redirection and data leakage.

Recommendation

It is recommended to upgrade to versions 4.1.135.Final or 4.2.15.Final to patch this vulnerability.

Original NVD description (English source)

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS