NVD CRITICAL: CVE-2026-42579 — Netty is an asynchronous, event-driven network application framework. Prior to 4...

Wednesday, May 13, 2026 at 07:17 PM UTC·Source: NIST NVD

Updated: Monday, May 18, 2026 at 01:00 PM UTC

Executive Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.1

Analysis

Indicators of Compromise (1)

CVE (1)

CVE-2026-42579

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 13, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

Interpol Launches Sweeping Cybercrime Crackdown in MENA Region

Over 200 people were arrested in an anti-cybercrime operation that spanned 13 countries across the Middle East and North Africa

9m agoInfosecurity Magazine

MEDIUMVulnerabilityNEW

Grafana says stolen GitHub token let hackers steal codebase

Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token. [...]

23m agoBleepingComputer

LOWVulnerabilityNEW

CMC Markets launches spread-betting account for retail clients

CMC Markets (“CMC”), a FTSE 250 company and global leader in multi-asset online trading and investing, has launched Spectre for retail clients, following strong demand after the product was initially introduced for professional traders.

27m agoFinextra