CVE-2026-42579
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not en
CVSS
7.5
Alto
EPSS
1.0%
p58
KEV
—
Exploit Today
17
0-100
Publicado: 13 may 2026 · Última mod.: 15 jul 2026 · CWE-20 · CWE-400 · CWE-626
0.8%EPSS · 30 días1.0%
2026-06-302026-07-16
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
- github.comhttps://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23808
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24502
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25123
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28010
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36820
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37390
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-42579
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2477217
- github.comhttps://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42579.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-341978.8 ALT99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-125699.8 CRÍ66.0%
KEV—70PTC Windchill and FlexPLM Improper Input Validation Vulnerability16dCVE-2025-607877.2 ALT97.0%
——29MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.12dCVE-2017-149197.5 ALT94.3%
——28Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.3dCVE-2025-138787.5 ALT94.2%
——28Malformed BRID/HHIT records can cause `named` to terminate unexpectedly.
This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.2dCVE-2026-482849.6 CRÍ94.1%
——28ColdFusion is affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.1d