Description
Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply. Version 4.2.15.Final patches the issue.
Published: 2026-06-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty’s default QUIC token handler incorrectly treats any non‑empty client‑supplied token as valid, granting the client a fake address validation. This bypasses the RFC 9000 anti‑amplification "3×" limit that normally caps outgoing traffic from a QUIC server, allowing an attacker to trigger full handshake flights to a victim’s IP without the limit. The flaw is a classic example of unauthorized resource access (CWE‑940), and can be used to perform amplification attacks that overload the victim with large packets.

Affected Systems

The vulnerability affects any Netty deployment that uses the default NoQuicTokenHandler and has not applied the 4.2.15.Final release or later. All Netty users running a QUIC server component prior to version 4.2.15.Final are impacted. The fix is delivered in Netty 4.2.15.Final and subsequent releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of < 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. It can be exploited remotely with a spoofed source IP and any non‑empty token, translating into potentially large outgoing traffic that evades normal amplification controls.

Generated by OpenCVE AI on June 12, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.2.15.Final or later.
  • Configure the application to use a custom QUIC token handler that returns –1 for invalid tokens if an upgrade cannot be performed immediately.
  • Implement network monitoring to detect abnormal outbound QUIC handshakes or large traffic spikes to the victim IPs.

Generated by OpenCVE AI on June 12, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmm3-54f8-px4j Netty's Default QUIC token handler accepts any client-supplied token
History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply. Version 4.2.15.Final patches the issue.
Title Netty's Default QUIC token handler accepts any client-supplied token
Weaknesses CWE-940
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:06:54.213Z

Reserved: 2026-05-07T21:50:33.545Z

Link: CVE-2026-44894

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T15:16:26.240

Modified: 2026-06-12T15:55:06.377

Link: CVE-2026-44894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-940

    Improper Verification of Source of a Communication Channel