Description
Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.
Published: 2026-04-15
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Protocol manipulation and potential denial of service
Action: Patch
AI Analysis

Impact

The vulnerability in XQUIC’s STREAM frame handler allows an attacker to send malformed or spoofed QUIC frames during the Initial or Handshake phases. Because the implementation performs inadequate input filtering and does not properly verify cryptographic signatures, these frames can manipulate the protocol state, potentially causing denial of service, corrupting session data, or, if the application processes them unprotected, compromising the host. The flaw maps to CWE‑20 (Improper Input Validation) and CWE‑347 (Untrusted Input Contains Structured Data).

Affected Systems

All releases of the XQUIC Project XQUIC on Linux up to and including version 1.8.3 are vulnerable. Users operating legacy versions before the fix are exposed to the described issue.

Risk and Exploitability

The CVSS base score of 8.3 indicates high severity. The likely attack vector is network‑based, requiring delivery of malformed QUIC packets and no prior authentication. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the high score and lack of public exploitation reports suggest that the risk remains significant. Based on the description, it is inferred that the attacker can manipulate the protocol state remotely, potentially leading to denial of service or more severe compromise if the application mishandles the frames.

Generated by OpenCVE AI on April 15, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XQUIC to a version newer than 1.8.3 that implements the signature verification fix.
  • Configure the QUIC implementation or network perimeter to discard packets that fail signature verification, effectively disabling the vulnerable frame handling until an update is available.
  • Deploy network monitoring to detect anomalous QUIC traffic, such as repeated attempts with invalid stream frames, and generate alerts for investigation.

Generated by OpenCVE AI on April 15, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Alibaba
Alibaba xquic
Vendors & Products Alibaba
Alibaba xquic

Wed, 15 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.
Title XQUIC Improper STREAM Frame Validation in Initial/Handshake Packets
Weaknesses CWE-20
CWE-347
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Alibaba Xquic
cve-icon MITRE

Status: PUBLISHED

Assigner: alibaba

Published:

Updated: 2026-04-15T16:13:31.813Z

Reserved: 2026-04-15T02:43:22.187Z

Link: CVE-2026-6328

cve-icon Vulnrichment

Updated: 2026-04-15T13:47:09.729Z

cve-icon NVD

Status : Deferred

Published: 2026-04-15T04:17:48.750

Modified: 2026-05-19T15:06:00.590

Link: CVE-2026-6328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:33Z

Weaknesses