PatchSiren cyber security CVE debrief
CVE-2026-44894 netty CVE debrief
CVE-2026-44894 is a vulnerability in Netty's NoQuicTokenHandler. Prior to version 4.2.15.Final, it incorrectly validates tokens, allowing an attacker to bypass the 3× anti-amplification send limit. This could lead to a high-impact attack, with a CVSS score of 7.5.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty prior to version 4.2.15.Final should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The NoQuicTokenHandler in Netty, used when no token handler is set, incorrectly validates tokens. The `writeToken()` method returns false, indicating the server will not send a Retry, but the `validateToken()` method unconditionally returns 0. This causes the server to treat the client's address as validated, lifting the 3× anti-amplification send limit. An attacker can exploit this by including any non-empty token bytes in an Initial packet with a spoofed victim source IP, causing the server to reflect full-size handshake flights towards the victim without the 3× cap.
Defensive priority
High
Recommended defensive actions
- Upgrade to Netty version 4.2.15.Final or later.
- Review and update any custom token handlers to ensure correct validation.
Evidence notes
This vulnerability was patched in Netty version 4.2.15.Final. For more information, see [ref-4](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final) and [ref-5](https://github.com/netty/netty/security/advisories/GHSA-cmm3-54f8-px4j).
Official resources
CVE-2026-44894 was published on [cvePublishedAt] and modified on [cveModifiedAt].