{
  "threat_severity" : "Important",
  "public_date" : "2026-05-13T18:01:52Z",
  "bugzilla" : {
    "description" : "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement",
    "id" : "2477217",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477217"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-1286",
  "details" : [ "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.", "A flaw was found in Netty. Netty's DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system." ],
  "statement" : "This is an Important integrity flaw in Netty's DNS codec. The vulnerability arises from insufficient enforcement of RFC 1035 domain name constraints during both encoding and decoding, allowing remote attackers to manipulate DNS responses or user-controlled hostnames. This could lead to a high integrity impact on affected Red Hat products that utilize the vulnerable Netty DNS codec.",
  "affected_release" : [ {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-reports-rhel9:4.2.0-10"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-rhel9:4.2.0-10"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/jfr-datasource-rhel9:4.2.0-10"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.27.4",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:23808",
    "cpe" : "cpe:/a:redhat:quarkus:3.27::el8",
    "package" : "netty-codec-dns"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.33.2",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:24502",
    "cpe" : "cpe:/a:redhat:quarkus:3.33::el8"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25123",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/openvsx-rhel9:1780948325"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25123",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/pluginregistry-rhel9:1780696380"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25123",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/server-rhel9:1780694994"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Under investigation",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk/keycloak-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk/keycloak-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Under investigation",
    "package_name" : "rhbk-rhel9-operator/rhbk-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "bazel7",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Under investigation",
    "package_name" : "bazel8",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-spark-operator-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cpu-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cpu-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-cuda130-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-trustyai-service-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Under investigation",
    "package_name" : "rhoai/odh-trustyai-service-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Under investigation",
    "package_name" : "devspaces/multicluster-redirector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Under investigation",
    "package_name" : "netty-codec-dns",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42579\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42579\nhttps://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm" ],
  "name" : "CVE-2026-42579",
  "csaw" : false
}