CVE-2026-44894
Undergoing Analysis Undergoing Analysis - In Progress
Quic Token Validation Bypass in Netty

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry β€” acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 Β§8.1, a validated address lifts the 3Γ— anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet β€” with a spoofed victim source IP β€” causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3Γ— cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply. Version 4.2.15.Final patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44894
EUVD
EUVD-2026-36435
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.2.15.Final (exc)
netty netty 4.2.15.final
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how the CVE-2026-44894 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects Netty's QUIC token handler in versions 4.2.0.Final to 4.2.14.Final. The default NoQuicTokenHandler incorrectly validates any client-supplied token by returning 0 (indicating the token is valid) instead of -1 (invalid). As a result, the server mistakenly treats spoofed source IP addresses as validated, bypassing the normal anti-amplification limits defined in RFC 9000 Β§8.1. Attackers can exploit this by sending Initial packets with non-empty tokens and spoofed victim IPs, causing the server to reflect full handshake responses, such as certificates, toward the victim without rate limiting.

Impact Analysis

This vulnerability allows attackers to bypass the 3Γ— anti-amplification send limit, enabling them to use the vulnerable Netty server to reflect large handshake packets toward a victim's IP address. This can lead to amplification-based denial-of-service (DoS) attacks against the victim by overwhelming their network with large amounts of traffic. Additionally, the integrity of the server can be impacted as the vulnerability allows potential data modification without requiring privileges or user interaction.

Detection Guidance

This vulnerability involves the Netty QUIC token handler incorrectly validating tokens, allowing spoofed IP addresses to bypass anti-amplification limits. Detection would involve monitoring network traffic for unusual QUIC Initial packets containing non-empty tokens from unexpected or spoofed source IP addresses.

Specifically, you can look for QUIC Initial packets with tokens that cause the server to send large handshake responses without the usual rate limiting.

While no explicit commands are provided in the resources, network monitoring tools like tcpdump or Wireshark can be used to capture and analyze QUIC traffic. For example, a tcpdump command to capture QUIC Initial packets might be:

  • tcpdump -i <interface> 'udp and (udp[8] & 0x0f) == 0x0' -w quic_initial.pcap

This captures UDP packets where the first byte of the QUIC header indicates an Initial packet. Further analysis can be done on the captured packets to inspect tokens and source IPs.

Mitigation Strategies

The primary mitigation is to upgrade Netty to version 4.2.15.Final or later, where the issue is patched by correcting the token validation logic to return -1 for invalid tokens.

Until the upgrade can be applied, consider implementing network-level protections such as rate limiting or filtering to prevent amplification attacks caused by spoofed IP addresses sending QUIC Initial packets with tokens.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart