Denial of Service Risk in Netty QUIC for Network Applications from Netty
CVE-2026-50009
4.8MEDIUM
What is CVE-2026-50009?
Netty QUIC, a component of the Netty network application framework, has a vulnerability that allows an on-path attacker to exploit the stateless reset token. This vulnerability is present prior to version 4.2.15.Final and can lead to Denial of Service attacks. The default HMAC-based connection-ID and stateless-reset-token generators expose the reset token in a way that attackers can derive it from connection ID information found in QUIC headers during a source-CID rotation. Attackers observing these headers can send a spoofed Stateless Reset packet, disrupting services. The issue is addressed in version 4.2.15.Final, which users are encouraged to upgrade to for enhanced security.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final
