Vulnerability Details CVE-2026-50009
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. Version 4.2.15.Final patches the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 10.3%
CVSS Severity
CVSS v3 Score 4.8
References
Products affected by CVE-2026-50009
-
cpe:2.3:a:netty:netty:4.2.0
-
cpe:2.3:a:netty:netty:4.2.1
-
cpe:2.3:a:netty:netty:4.2.10
-
cpe:2.3:a:netty:netty:4.2.11
-
cpe:2.3:a:netty:netty:4.2.12
-
cpe:2.3:a:netty:netty:4.2.13
-
cpe:2.3:a:netty:netty:4.2.14
-
cpe:2.3:a:netty:netty:4.2.2
-
cpe:2.3:a:netty:netty:4.2.3
-
cpe:2.3:a:netty:netty:4.2.4
-
cpe:2.3:a:netty:netty:4.2.5
-
cpe:2.3:a:netty:netty:4.2.6
-
cpe:2.3:a:netty:netty:4.2.7
-
cpe:2.3:a:netty:netty:4.2.8
-
cpe:2.3:a:netty:netty:4.2.9