Token Handler Vulnerability in Netty Framework Impacting Network Applications
CVE-2026-44894

7.5HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44894?

Netty, a widely-used network application framework, has a vulnerability in its NoQuicTokenHandler class related to how tokens are validated. In versions before 4.2.15.Final, the method writeToken() returns false, which can misleadingly indicate that the server is not engaging in a Retry process. However, the validateToken() method returns a non-negative value unconditionally, leading to a misinterpretation that the client's address is validated. Consequently, attackers can send an Initial packet with any non-empty token bytes and a spoofed victim address, causing the server to consider the victim as a validated entity. This results in full-size handshake data being sent to the victim without adhering to the expected anti-amplification limitations outlined in RFC 9000 §8.1. The proper behavior would have been to return -1 for invalid tokens, ensuring that the server enforces the necessary amplification restrictions. Version 4.2.15.Final addresses this vulnerability effectively.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.