{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-44894/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-13T03:04:10.351Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-44894","@id":"https://www.cve.org/CVERecord?id=CVE-2026-44894","description":"Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call q"},"products":[{"@id":"cpe:2.3:a:netty:netty:\\>\\=_4.2.0.final\\,_\\<_4.2.15.final:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:netty:netty:\\>\\=_4.2.0.final\\,_\\<_4.2.15.final:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-13T03:04:10.351Z"}]}