Description
XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.
Published: 2026-05-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

XX‑Net version 5.16.6 contains a WebSocket frame parsing flaw in the WebSocket_receive_worker routine of simple_http_server.py. The code unconditionally reads four bytes as a masking key even when the MASK bit is not set, leading to incorrect XOR decoding of the payload. As a result, the first four bytes of the payload are consumed as a mask key and the remaining data is corrupted. The omission of validation for the RSV bit, opcode, and FIN fragmentation further allows malformed frames to be accepted, potentially disrupting downstream processing. This vulnerability is classified as CWE‑1286.

Affected Systems

The flaw applies to installations of XX‑Net that include the simple_http_server.py component in version 5.16.6. No other releases are currently documented as affected. The security mitigations refer to the GitHub commit a68b972a84ed6e52df9f30237cf47493b9231b53, which patches the masking key handling logic.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available, so the exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. Attackers can construct unmasked WebSocket frames to corrupt data; however, the flaw does not provide a direct path to arbitrary code execution or privilege escalation. The likely attack vector is any network connection to the XX‑Net WebSocket endpoint, which must be reachable by the attacker. Because the issue results in data corruption rather than execution, the primary risk is the integrity of application data and potential service disruption.

Generated by OpenCVE AI on May 29, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update XX‑Net to a version that contains the commit a68b972a84ed6e52df9f30237cf47493b9231b53 or later, which corrects the masking key handling logic.
  • Configure network firewalls or access controls to limit which hosts can connect to the XX‑Net WebSocket endpoint until the patch is applied.
  • If immediate upgrading is not possible, add defensive checks in the WebSocket parsing routine to verify that the MASK bit is set before reading a masking key and to validate RSV, opcode, and FIN fragmentation flags.

Generated by OpenCVE AI on May 29, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Xx-net
Xx-net xx-net
Vendors & Products Xx-net
Xx-net xx-net

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.
Title XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py
Weaknesses CWE-1286
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xx-net Xx-net
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T15:24:15.120Z

Reserved: 2026-05-29T15:03:52.130Z

Link: CVE-2026-10099

cve-icon Vulnrichment

Updated: 2026-06-01T15:24:10.349Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T16:16:24.333

Modified: 2026-06-01T18:12:56.073

Link: CVE-2026-10099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:31Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input