CVE-2026-45673
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk32th percentile — higher than 32% of all known CVEs
Summary
Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final, used a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning.
Risk Assessment
Organizations may be vulnerable to DNS Cache Poisoning attacks, which can lead to traffic redirection and data leakage.
Recommendation
It is recommended to upgrade to versions 4.1.135.Final or 4.2.15.Final to patch this vulnerability.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.

