Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.
AnalysisAI
XQUIC library through version 1.8.3 on Linux permits signature verification bypass and protocol manipulation via crafted QUIC STREAM frames, allowing network attackers to inject forged data into encrypted QUIC connections. Exploitation requires high complexity network interception but needs no authentication (CVSS:4.0 AV:N/AC:H/PR:N). No active exploitation confirmed (not in CISA KEV), but upstream fix available via GitHub commit 4764604a0e487eeb49338b4498aecda2194eae84. Affects applications usi
Technical ContextAI
XQUIC is Alibaba's open-source implementation of the IETF QUIC transport protocol (RFC 9000), designed for multiplexed, encrypted connections over UDP. The vulnerability resides in two critical components: the packet processing module responsible for validating incoming QUIC packets, and the STREAM frame handler that manages application data delivery. The CWE-20 (Improper Input Validation) root cause indicates insufficient boundary checking on STREAM frame fields, while the cryptographic signature verification flaw (per description) suggests failure to validate packet integrity proofs or authentication tags. QUIC's security model depends on TLS 1.3-derived keys for packet protection - bypassing signature verification breaks the confidentiality and authenticity guarantees of the encrypted transport layer. The affected CPE (cpe:2.3:a:xquic_project:xquic:*:*:*:*:*:*:*:*) confirms impact to all versions through 1.8.3 across all deployment contexts on Linux platforms.
RemediationAI
Apply the upstream patch immediately by upgrading to XQUIC post-commit 4764604a0e487eeb49338b4498aecda2194eae84 or later stable release incorporating this fix. The GitHub commit at https://github.com/alibaba/xquic/commit/4764604a0e487eeb49338b4498aecda2194eae84 addresses both the input validation and cryptographic signature verification flaws in the packet processing and STREAM frame handler modules. For production environments unable to immediately upgrade, implement network-level controls limiting QUIC traffic to trusted endpoints and deploy TLS inspection proxies to validate QUIC handshake integrity, though these workarounds provide incomplete protection against protocol-layer manipulation. Review application logs for anomalous STREAM frame patterns (unexpected sequence numbers, oversized frames, or integrity check failures) as potential indicators of exploitation attempts. Consult EUVD-2026-22832 in the EU vulnerability database for additional European regulatory context if operating in EU jurisdictions.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22832
GHSA-89j2-h6hv-gvhg