Token Handler Vulnerability in Netty Framework Impacting Network Applications
CVE-2026-44894
What is CVE-2026-44894?
Netty, a widely-used network application framework, has a vulnerability in its NoQuicTokenHandler class related to how tokens are validated. In versions before 4.2.15.Final, the method writeToken() returns false, which can misleadingly indicate that the server is not engaging in a Retry process. However, the validateToken() method returns a non-negative value unconditionally, leading to a misinterpretation that the client's address is validated. Consequently, attackers can send an Initial packet with any non-empty token bytes and a spoofed victim address, causing the server to consider the victim as a validated entity. This results in full-size handshake data being sent to the victim without adhering to the expected anti-amplification limitations outlined in RFC 9000 §8.1. The proper behavior would have been to return -1 for invalid tokens, ensuring that the server enforces the necessary amplification restrictions. Version 4.2.15.Final addresses this vulnerability effectively.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final
