Skip to main content

Xquic CVE-2026-6328

| EUVDEUVD-2026-22832 HIGH
Improper Input Validation (CWE-20)
2026-04-15 alibaba GHSA-89j2-h6hv-gvhg
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:37 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 04:00 euvd
EUVD-2026-22832
Analysis Generated
Apr 15, 2026 - 04:00 vuln.today
CVE Published
Apr 15, 2026 - 03:18 nvd
HIGH 8.3

DescriptionCVE.org

Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.

AnalysisAI

XQUIC library through version 1.8.3 on Linux permits signature verification bypass and protocol manipulation via crafted QUIC STREAM frames, allowing network attackers to inject forged data into encrypted QUIC connections. Exploitation requires high complexity network interception but needs no authentication (CVSS:4.0 AV:N/AC:H/PR:N). No active exploitation confirmed (not in CISA KEV), but upstream fix available via GitHub commit 4764604a0e487eeb49338b4498aecda2194eae84. Affects applications usi

Technical ContextAI

XQUIC is Alibaba's open-source implementation of the IETF QUIC transport protocol (RFC 9000), designed for multiplexed, encrypted connections over UDP. The vulnerability resides in two critical components: the packet processing module responsible for validating incoming QUIC packets, and the STREAM frame handler that manages application data delivery. The CWE-20 (Improper Input Validation) root cause indicates insufficient boundary checking on STREAM frame fields, while the cryptographic signature verification flaw (per description) suggests failure to validate packet integrity proofs or authentication tags. QUIC's security model depends on TLS 1.3-derived keys for packet protection - bypassing signature verification breaks the confidentiality and authenticity guarantees of the encrypted transport layer. The affected CPE (cpe:2.3:a:xquic_project:xquic:*:*:*:*:*:*:*:*) confirms impact to all versions through 1.8.3 across all deployment contexts on Linux platforms.

RemediationAI

Apply the upstream patch immediately by upgrading to XQUIC post-commit 4764604a0e487eeb49338b4498aecda2194eae84 or later stable release incorporating this fix. The GitHub commit at https://github.com/alibaba/xquic/commit/4764604a0e487eeb49338b4498aecda2194eae84 addresses both the input validation and cryptographic signature verification flaws in the packet processing and STREAM frame handler modules. For production environments unable to immediately upgrade, implement network-level controls limiting QUIC traffic to trusted endpoints and deploy TLS inspection proxies to validate QUIC handshake integrity, though these workarounds provide incomplete protection against protocol-layer manipulation. Review application logs for anomalous STREAM frame patterns (unexpected sequence numbers, oversized frames, or integrity check failures) as potential indicators of exploitation attempts. Consult EUVD-2026-22832 in the EU vulnerability database for additional European regulatory context if operating in EU jurisdictions.

Share

CVE-2026-6328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy