.. _vulnerabilityManagement_securityAdvisory_2026_CVE-2026-42579: CVE-2026-42579 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Data: 2026-05-07 Severity: High CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) Riferimenti: - `https://guide.sonatype.com/vulnerability/CVE-2026-42579 `_ - `https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm `_ - `https://tools.ietf.org/html/rfc1035#section-2.3.4 `_ - `https://tools.ietf.org/html/rfc1035#section-4.1.4 `_ Libreria: io.netty:netty-codec-dns <= 4.1.132.Final **Descrizione** CWE-20: Improper Input Validation / CWE-626: Null Byte Interaction Error / CWE-400: Uncontrolled Resource Consumption Netty's DNS codec (``io.netty.handler.codec.dns.DnsCodecUtil``) does not enforce RFC 1035 domain name constraints during either encoding or decoding. Both ``encodeDomainName()`` and ``decodeDomainName()`` are affected. On the encoder side, label data is not validated for null bytes, per-label length (RFC 1035 max: 63 bytes) or total domain name length (RFC 1035 max: 255 bytes); empty labels silently truncate the domain name. This enables differential interpretation between Java and native DNS resolvers (DNS cache poisoning, domain validation bypass), label/pointer confusion (length values >= 192 are interpreted as compression pointers per RFC 1035 Section 4.1.4) and silent truncation of domain names containing consecutive dots. On the decoder side, malicious DNS responses with oversized labels or unbounded total length cause excessive ``StringBuilder`` allocation. The issue is fixed in versions 4.1.133.Final and 4.2.13.Final. **GovWay** Versione affette: - 3.3.x: <= 3.3.19.p1 - 3.4.x: <= 3.4.2.p1 Risoluzione: - 3.3.x: 3.3.20 - 3.4.x: 3.4.3