{
  "threat_severity" : "Important",
  "public_date" : "2026-06-12T14:17:50Z",
  "bugzilla" : {
    "description" : "netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation",
    "id" : "2488400",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2488400"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-346",
  "details" : [ "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.", "A flaw was found in Netty's DnsResolveContext. This vulnerability allows a remote attacker to achieve information disclosure or data manipulation by crafting malicious DNS responses. The flaw occurs because the DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses, which could enable an attacker to redirect network traffic or intercept sensitive data from affected applications." ],
  "statement" : "This Important severity flaw in Netty's DnsResolveContext allows a remote attacker to achieve information disclosure or data manipulation. By crafting malicious DNS responses, an attacker could redirect network traffic or intercept sensitive data, impacting applications utilizing Netty for DNS resolution in Red Hat products.",
  "affected_release" : [ {
    "product_name" : "Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26586",
    "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.33",
    "package" : "netty-resolver-dns"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.27.4.SP1",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26018",
    "cpe" : "cpe:/a:redhat:quarkus:3.27::el8",
    "package" : "netty-resolver-dns"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.33.2.SP1",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26017",
    "cpe" : "cpe:/a:redhat:quarkus:3.33::el8",
    "package" : "netty-resolver-dns"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 4",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Will not fix",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "rhbk/keycloak-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "rhbk/keycloak-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "rhbk-openshift-rhel9/rhbk-openshift-rhel9",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "rhbk-rhel9-operator/rhbk-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "bazel6",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "bazel7",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "bazel8",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-spark-operator-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-th06-cpu-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-th06-cpu-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-th06-cuda130-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-trustyai-service-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/multicluster-redirector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/openvsx-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/pluginregistry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/server-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Affected",
    "package_name" : "netty-resolver-dns",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-45674\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-45674\nhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final\nhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final\nhttps://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc" ],
  "name" : "CVE-2026-45674",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}