Denial of Service Risk in Netty QUIC for Network Applications from Netty
CVE-2026-50009

4.8MEDIUM

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-50009?

Netty QUIC, a component of the Netty network application framework, has a vulnerability that allows an on-path attacker to exploit the stateless reset token. This vulnerability is present prior to version 4.2.15.Final and can lead to Denial of Service attacks. The default HMAC-based connection-ID and stateless-reset-token generators expose the reset token in a way that attackers can derive it from connection ID information found in QUIC headers during a source-CID rotation. Attackers observing these headers can send a spoofed Stateless Reset packet, disrupting services. The issue is addressed in version 4.2.15.Final, which users are encouraged to upgrade to for enhanced security.

Affected Version(s)

netty >= 4.2.0.Final, < 4.2.15.Final

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.