Description
: Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.This issue affects Xquic Server: through 1.8.3.
Published: 2026-02-03
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Buffer Overflow enabling memory corruption
Action: Upgrade
AI Analysis

Impact

Out‑of‑bounds write in the packet processing module of Xquic Server can lead to a buffer overflow that, if triggered by a malicious QUIC packet, may corrupt memory and potentially allow code execution or denial of service. The vulnerability is classified as CWE‑787 and is reported to have a CVSS score of 6.6, which indicates a moderate severity. The description does not explicitly state the attacker’s capabilities, but the vulnerability is tied to network‑bound QUIC traffic, so the likely attack vector is remote, from an external attacker able to craft malicious packets.

Affected Systems

The issue affects the Xquic Server component of the Xquic Project on Linux. All releases through version 1.8.3 are vulnerable; versions from 1.8.4 onward contain the fix.

Risk and Exploitability

The CVSS score of 6.6 is moderate, but the EPSS score is below 1%, indicating a very low exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog, which further suggests limited exploitation activity. Nevertheless, because the flaw can be triggered remotely, it poses a potential threat if an attacker obtains focused knowledge of the affected deployment. The absence of a publicly available exploitation kit reduces the likelihood of widespread attacks, yet security teams should remain vigilant.

Generated by OpenCVE AI on April 18, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Xquic Server to version 1.8.4 or later to apply the out‑of‑bounds write fix.
  • If an upgrade is not immediately possible, restrict QUIC traffic at the network perimeter by allowing only trusted peers or rate‑limiting untrusted connections.
  • Enable system hardening features such as ASLR, stack canaries, and address space layout randomization that can mitigate the impact of a buffer overflow if triggered.
  • Monitor logs for abnormal QUIC packet patterns and perform periodic integrity checks on critical memory regions.

Generated by OpenCVE AI on April 18, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/alibaba/xquic cve-icon cve-icon
History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Alibaba
Alibaba xquic Server
Vendors & Products Alibaba
Alibaba xquic Server

Tue, 03 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description : Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.This issue affects Xquic Server: through 1.8.3.
Title Buffer Overflow in Xquic Server
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/RE:M/U:Amber'}

Subscriptions

Alibaba Xquic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: alibaba

Published:

Updated: 2026-02-03T17:18:06.150Z

Reserved: 2026-02-03T03:04:55.808Z

Link: CVE-2026-1788

cve-icon Vulnrichment

Updated: 2026-02-03T17:18:02.285Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T04:15:56.190

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses