{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6328", "assignerOrgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "state": "PUBLISHED", "assignerShortName": "alibaba", "dateReserved": "2026-04-15T02:43:22.187Z", "datePublished": "2026-04-15T03:18:10.428Z", "dateUpdated": "2026-04-15T03:18:10.428Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "shortName": "alibaba", "dateUpdated": "2026-04-15T03:18:10.428Z"}, "title": "XQUIC Improper STREAM Frame Validation in Initial/Handshake Packets", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper input validation", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-347", "description": "CWE-347 Improper verification of cryptographic signature", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-272", "descriptions": [{"lang": "en", "value": "CAPEC-272 Protocol Manipulation"}]}], "affected": [{"vendor": "XQUIC Project", "product": "XQUIC", "platforms": ["Linux"], "collectionURL": "https://github.com", "packageName": "xquic", "repo": "https://github.com/alibaba/xquic", "modules": ["QUIC protocol implementation", "packet processing module", "STREAM frame handler"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.8.3", "changes": [{"at": "1.9.0", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.<p>This issue affects XQUIC: through 1.8.3.</p>"}]}], "references": [{"url": "https://github.com/alibaba/xquic/commit/4764604a0e487eeb49338b4498aecda2194eae84"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T06:21:44.275883+00:00", "value": {"mitigation_remediation": ["Upgrade XQUIC to a version newer than 1.8.3 that implements the signature verification fix.", "Configure the QUIC implementation or network perimeter to discard packets that fail signature verification, effectively disabling the vulnerable frame handling until an update is available.", "Deploy network monitoring to detect anomalous QUIC traffic, such as repeated attempts with invalid stream frames, and generate alerts for investigation."], "summary": {"action": "Patch", "impact": "Protocol manipulation and potential denial of service"}, "threat_synthesis": {"affected_systems": "All releases of the XQUIC Project XQUIC on Linux up to and including version 1.8.3 are vulnerable. Users operating legacy versions before the fix are exposed to the described issue.", "description_and_impact": "The vulnerability in XQUIC\u2019s STREAM frame handler allows an attacker to send malformed or spoofed QUIC frames during the Initial or Handshake phases. Because the implementation performs inadequate input filtering and does not properly verify cryptographic signatures, these frames can manipulate the protocol state, potentially causing denial of service, corrupting session data, or, if the application processes them unprotected, compromising the host. The flaw maps to CWE\u201120 (Improper Input Validation) and CWE\u2011347 (Untrusted Input Contains Structured Data).", "risk_and_exploitability": "The CVSS base score of 8.3 indicates high severity. The likely attack vector is network\u2011based, requiring delivery of malformed QUIC packets and no prior authentication. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the high score and lack of public exploitation reports suggest that the risk remains significant. Based on the description, it is inferred that the attacker can manipulate the protocol state remotely, potentially leading to denial of service or more severe compromise if the application mishandles the frames."}}}}, "created": "2026-04-15T13:49:14.869651+00:00", "updated": "2026-04-15T13:49:14.869667+00:00", "vendors": []}