Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. Version 4.2.15.Final patches the issue.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-200",
"CWE-330"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50009.json"
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "4.2.0.Final"
},
{
"fixed": "4.2.15.Final"
},
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.15"
}
]
}