CVE-2026-50009: Netty: QUIC stateless reset token material exposed through header-visible connection IDs

June 15, 2026

Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server’s current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet.

References

github.com/advisories/GHSA-cq4q-cv5g-r8q5
github.com/netty/netty/releases/tag/netty-4.2.15.Final
github.com/netty/netty/security/advisories/GHSA-cq4q-cv5g-r8q5
nvd.nist.gov/vuln/detail/CVE-2026-50009

Code Behaviors & Features

Detect and mitigate CVE-2026-50009 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →