QSearchQSearch

CVE-2026-45673

6.8 MEDIUM

Netty is a network application framework for development of protocol servers and clients

Published: 2026-06-12 · Last updated: 2026-06-15

Severity and scoring

CVSS
6.8 MEDIUM
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE
CWE-330, CWE-340

Affected products

VendorProduct
nettynetty

Description

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-50560 Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
  • CVE-2026-50020 Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
  • CVE-2026-50011 Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
  • CVE-2026-50010 Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
  • CVE-2026-50009 Netty is a network application framework for development of protocol servers and clients (4.8 MEDIUM)

Same CWE

  • CVE-2026-42932 Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerab... (5.3 MEDIUM)
  • CVE-2026-50009 Netty is a network application framework for development of protocol servers and clients (4.8 MEDIUM)
  • CVE-2026-41701 Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter (4.4 MEDIUM)
  • CVE-2026-41838 IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in co... (4.8 MEDIUM)
  • CVE-2026-41207 The netty incubator codec.bhttp is a java language binary http parser (5.3 MEDIUM)