CVEFinder.io

CVE-2026-42579

⚠️ high
🔍 Scan for this CVE
Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

CVSS Score
7.5
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 327,350 vulnerabilities in our database.

#101,599
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 18, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE IDs (Weakness Types)
CWE-20 CWE-400 CWE-626

📦 Affected Products 2

Vendor Product Status Affected Versions
netty netty Affected
< 4.1.133
netty netty Affected
> 4.2.0 < 4.2.13

🔗 References 1

https://github.com/netty/netty/security/advisories/G...
Exploit Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-42577 ⚠️ high 7.5 0.1 Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll t... 2026-05-13
CVE-2026-42578 ⚠️ high 7.5 0.0 Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's H... 2026-05-13
CVE-2026-42580 🔶 medium 6.5 0.0 Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's c... 2026-05-13
CVE-2026-42581 🔶 medium 5.8 0.0 Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjec... 2026-05-13
CVE-2026-42582 ⚠️ high 7.5 0.0 Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks... 2026-05-13
CVE-2026-42583 ⚠️ high 7.5 0.0 Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameD... 2026-05-13
These CVEs affect the same products