PatchSiren cyber security CVE debrief
CVE-2026-50009 netty CVE debrief
CVE-2026-50009 is a vulnerability in Netty, a network application framework. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. This allows an on-path attacker to derive the reset token for the server's current source connection ID from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. The attacker can then use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. The CVSS score for this vulnerability is 4.8, indicating a medium severity.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty QUIC prior to version 4.2.15.Final should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the exposure of the stateless reset token on the network path. This allows an attacker to derive the token and send a spoofed Stateless Reset packet, resulting in a Denial of Service.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to Netty version 4.2.15.Final or later.
- Use a different connection-ID and stateless-reset-token generator.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide information on this vulnerability.
Official resources
CVE-2026-50009 was published on 2026-06-12T16:16:31.047Z and modified on 2026-06-12T16:18:27.287Z.