Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid)
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Netty's NoQuicTokenHandler contains a critical token validation flaw where validateToken() unconditionally returns 0 regardless of token legitimacy. This causes QuicheQuicServerCodec to misinterpret the return value as a valid token with ODCID at offset 0, bypassing QUIC's connection establishment security controls. Organizations running Netty versions prior to 4.2.15.Final with QUIC protocol support are affected. The vulnerability allows attackers to forge valid tokens and establish unauthorized connections, potentially leading to resource exhaustion, protocol confusion attacks, or downstream exploitation of QUIC-dependent services.
While MITRE ATT&CK techniques are not formally mapped to this CVE, Casky's security skills would detect the attack patterns underlying this vulnerability through analysis of QUIC handshake anomalies and token validation failures. A practitioner using Casky would observe findings related to protocol state machine violations, specifically patterns consistent with T1499 (Service Exhaustion Denial of Service) through connection flooding, T1021 (Remote Services) exploitation via forged connection establishment, and T1071 (Application Layer Protocol) misuse. The extended reasoning capability would correlate suspicious QUIC packet sequences—particularly those with missing or malformed tokens that succeed validation—against baseline QUIC RFC 9000 compliance, flagging the characteristic signature of this bypass: legitimate-looking connections with zero-offset ODCID claims that violated the server's token validation contract.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-44894. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation