EUVD-2026-36462
GHSA-cq4q-cv5g-r8q5
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
On-path position and CID rotation observation required (AC:H); no attacker authentication needed; token derivability warrants C:L; connection termination warrants A:L only.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. Version 4.2.15.Final patches the issue.
AnalysisAI
Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an on-path attacker to derive the reset token for active connections and terminate them via spoofed Stateless Reset packets. The default HMAC-based generators expose a deterministic relationship between the source connection ID visible in QUIC headers and the server's stateless reset token - after a source-CID rotation, an observer can compute the token from the new connection-ID bytes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must occupy an on-path network position between the QUIC client and server, meaning the attacker can observe QUIC packet headers as they traverse the network path - a passive wiretap, compromised router, or co-located host on the same segment would satisfy this requirement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) yields a score of 4.8 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with on-path access between a QUIC client and a Netty-based server - such as a malicious ISP node, compromised router, or co-located adversary - passively monitors QUIC packet headers during normal traffic. After a source-CID rotation event, the attacker extracts the new connection-ID bytes and applies the same HMAC derivation used by Netty's default generator to compute the stateless reset token. … |
| Remediation | Upgrade to Netty 4.2.15.Final, which patches this vulnerability along with multiple other security fixes in the same release batch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote una
TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot
Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack fu
HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipu
Share
External POC / Exploit Code
Leaving vuln.today