CVE-2026-50009
4.8 MEDIUMNetty is a network application framework for development of protocol servers and clients
Published: 2026-06-12 · Last updated: 2026-06-15
Severity and scoring
- CVSS
- 4.8 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
- CWE
- CWE-200, CWE-330
Affected products
| Vendor | Product |
|---|---|
| netty | netty |
Description
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. Version 4.2.15.Final patches the issue.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-50560 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-50020 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-50011 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
- CVE-2026-50010 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
- CVE-2026-48748 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
Same CWE
- CVE-2026-12203 — A vulnerability was found in HKUDS AI-Trader up to 74caf996f78dcc0c657df8365c8544678a16e215 (5.3 MEDIUM)
- CVE-2026-49397 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (5.3 MEDIUM)
- CVE-2026-47124 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.5 MEDIUM)
- CVE-2026-54396 — An information disclosure vulnerability exists in the MISP AuthKey edit functionality
- CVE-2026-47264 — Discourse is an open-source discussion platform (5.3 MEDIUM)