Listen to this Post
The vulnerability exists in Netty’s `DnsCodecUtil` (versions ≤4.2.12.Final) which fails to enforce RFC 1035 domain name constraints during both encoding and decoding. On the encoder side, a domain name containing a null byte (e.g., "evil\0.example.com") is written with the null embedded in the label. Different DNS parsers then interpret the name differently: Java sees the full string, while C libraries truncate at the null, enabling cache poisoning. The encoder also accepts labels longer than 63 bytes. A 200-byte label writes a length byte `0xC8` – values 192–255 are reserved for compression pointers per RFC 1035, causing parser confusion. Additionally, consecutive dots like `”a..b.com”` cause silent truncation (only `”a.”` is encoded), bypassing allowlists. On the decoder side, no check limits label length to 63 bytes or total domain name to 255 bytes. A malicious DNS response can contain a 100‑byte label, leading to a 105‑character string; multiple large labels can produce a 305‑byte domain name, triggering unbounded memory allocation. Both encoder and decoder lack input validation for null bytes, label size, and total length, violating CWE‑20, CWE‑626, and CWE‑400. An attacker controlling DNS responses (decoder) or user‑supplied hostnames (encoder) can cause DNS cache poisoning, denial of service, domain validation bypass, and downstream processing failures.
Platform: Netty DNS codec
Version: 4.2.12.Final prior
Vulnerability: Improper input validation
Severity: Critical
date: 2026-05-07
Prediction: Patch expected 2026-08-15
What Undercode Say:
Compile and run encoder PoC
JARS=$(find ~/.m2/repository/io/netty -name "netty-.jar" -path "/4.2.12.Final/" | grep -v sources | grep -v javadoc | tr '\n' ':')
javac -cp "$JARS" DnsEncoderNullBytePoC.java
java --add-opens java.base/java.lang=ALL-UNNAMED -cp "$JARS:." DnsEncoderNullBytePoC
Decoder PoC
javac -cp "$JARS" DnsDecoderLengthPoC.java
java --add-opens java.base/java.lang=ALL-UNNAMED -cp "$JARS:." DnsDecoderLengthPoC
Detect oversized labels in DNS traffic (tcpdump)
tcpdump -i any -n -vv 'udp port 53' | grep -E 'len [6-9][0-9]|len 1[0-9]{2}'
Exploit:
Send a crafted DNS query with `”evil\0.trusted.com”` to a Netty‑based resolver – encoder writes null byte, causing differential parsing and cache poisoning. Or return a DNS response with a 255‑byte label (e.g., 255×’a’) – decoder allocates huge string, leading to OOM. Use consecutive dots ("a..b.com") to truncate domain and bypass allowlists.
Protection from this CVE
Upgrade to patched Netty (≥4.2.13.Final) once released. Apply the remediation: in encodeDomainName, reject empty labels, labels >63 bytes, null bytes, and total length >254. In decodeDomainName, reject label length >63 and total name >255. As a temporary workaround, validate all domain names before passing to Netty’s DNS codec, and filter DNS responses for label lengths >63.
Impact:
High integrity (cache poisoning, domain validation bypass), high availability (unbounded memory allocation, DoS), and potential downstream failures in certificate validators or URL parsers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
