CVE-2026-44894

Name of the Vulnerable Software and Affected Versions Netty (ionettyincubatorcodecquic) (affected versions not specified)

Description The NoQuicTokenHandler component fails to properly validate tokens when no specific token handler is set by the application. Specifically, the validateToken() function unconditionally returns 0, which the QuicheQuicServerCodec.handlePacket() function interprets as a valid token. This allows an attacker to spoof a victim's source IP address and include any non-empty token bytes in an Initial packet. Consequently, the server treats the victim's address as validated, bypassing the 3x anti-amplification send limit defined in RFC 9000 §8.1. This enables the server to reflect full-size handshake flights, such as certificates, toward the victim without the standard amplification restrictions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.