How is CVE-2026-44894 exploited?

Network reachability (required): The attacker must be able to send UDP packets to the server over the network; the vulnerable QUIC listener is exposed as a standard network service. Authentication (not-required): No credentials or session token are needed; the flaw exists in the unauthenticated QUIC Initial packet handling path before any identity check occurs. Victim interaction (not-required): The attack requires no action from any user or victim; the attacker crafts and sends the malicious Initial packet entirely on their own. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to include any non-empty token bytes in a QUIC Initial packet with a spoofed source IP, with no race conditions or specific memory layout requirements.

What is the impact of CVE-2026-44894?

The attacker directs large QUIC handshake flights (including certificate messages) at an arbitrary victim IP address, exceeding the RFC 9000 3x anti-amplification limit that would normally cap reflected traffic. The spoofed victim receives sustained high-volume UDP traffic it never initiated, which can saturate its network interface or exhaust connection-processing resources. Confidentiality of data on the Netty server itself is not affected; the server's stored data is not exposed to the attacker. The Netty server's own availability may degrade under sustained amplification abuse as it processes and transmits inflated handshake payloads toward spoofed destinations.

Back to search

HIGHCVE-2026-44894Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-44894: Netty's Default QUIC token handler accepts any client-supplied token

Q: Is CVE-2026-44894 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Netty ships a resolved release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply. Version 4.2.15.Final patches the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass-style logic flaw in Netty's default QUIC token handler allows a network-based attacker to abuse the server's address-validation state without any credentials. The vulnerability is reachable over the network with no authentication required and no victim interaction needed; CVSS rates it 7.5 HIGH with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. A successful attacker can weaponize the affected Netty server as a UDP amplification reflector, directing disproportionately large QUIC handshake responses at a spoofed victim IP address. No fix versions are published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including internally built images that bundle affected versions of the Netty library (netty >= 4.2.0.Final, < 4.2.15.Final).

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 HIGH and weighting it against each environment's configured compliance policy; the resulting alert is routed to the team inbox or ticketing integration designated for that workload inside the customer's organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Netty ships a resolved release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send UDP packets to the server over the network; the vulnerable QUIC listener is exposed as a standard network service.
AuthenticationNot required
No credentials or session token are needed; the flaw exists in the unauthenticated QUIC Initial packet handling path before any identity check occurs.
Victim interactionNot required
The attack requires no action from any user or victim; the attacker crafts and sends the malicious Initial packet entirely on their own.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to include any non-empty token bytes in a QUIC Initial packet with a spoofed source IP, with no race conditions or specific memory layout requirements.

Blast Radius

The attacker directs large QUIC handshake flights (including certificate messages) at an arbitrary victim IP address, exceeding the RFC 9000 3x anti-amplification limit that would normally cap reflected traffic.
The spoofed victim receives sustained high-volume UDP traffic it never initiated, which can saturate its network interface or exhaust connection-processing resources.
Confidentiality of data on the Netty server itself is not affected; the server's stored data is not exposed to the attacker.
The Netty server's own availability may degrade under sustained amplification abuse as it processes and transmits inflated handshake payloads toward spoofed destinations.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-44894 has been published, HarborGuard continuously re-checks the advisory on each ingest cycle and will surface a patched-image rebuild the moment Netty releases a resolved version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. In the interim, HarborGuard recommends applying network-policy controls to restrict which sources can send UDP traffic to QUIC listeners on affected services, using egress filtering to limit the volume of outbound handshake traffic the server can direct at any single destination, and disabling QUIC support in Netty configurations where it is not operationally required. These compensating controls reduce the exploitable surface while the upstream fix is pending.

See how HarborGuard automates this

Affected packages

netty / netty
>= 4.2.0.Final, < 4.2.15.Final

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Metrics

Get notified