CVE-2026-50009

Vulnerability

Netty's QUIC implementation prior to version 4.2.15.Final uses the same HMAC-SHA256 key for both HmacSignQuicConnectionIdGenerator and HmacSignQuicResetTokenGenerator. During source connection ID rotation, the current server source CID C is used as input to produce the next CID N. The stateless reset token for C is the first 16 bytes of HMAC(K, C), while N is the first L bytes of the same digest, where L equals the length of C. When L >= 16, the first 16 bytes of N (which appear as the connection ID in QUIC headers) are exactly the reset token for C. This violates RFC 9000's requirement that the stateless reset token be difficult to guess [1][2].

Exploitation

An on-path attacker who can observe QUIC packet headers (without decrypting payloads) can read the connection ID during and after a source CID rotation. If the connection ID length is at least 16 bytes, the attacker directly obtains the stateless reset token for the server's current source connection ID. The attacker then crafts a spoofed Stateless Reset packet containing that token and sends it to the client, mimicking the server [2].

Impact

Successful exploitation allows an on-path attacker to forcibly close the client side of the QUIC connection by sending a valid Stateless Reset packet. This results in a Denial of Service (DoS) for the affected connection. Additionally, the reset token is disclosed to the network observer, which is an information disclosure violation [2].

Mitigation

Upgrade to Netty version 4.2.15.Final, which patches the issue by ensuring the stateless reset token is not derivable from header-visible connection IDs. No workaround is available for older versions [1][2].