{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6328", "assignerOrgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "state": "PUBLISHED", "assignerShortName": "alibaba", "dateReserved": "2026-04-15T02:43:22.187Z", "datePublished": "2026-04-15T03:18:10.428Z", "dateUpdated": "2026-04-15T16:13:31.813Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "shortName": "alibaba", "dateUpdated": "2026-04-15T03:18:10.428Z"}, "title": "XQUIC Improper STREAM Frame Validation in Initial/Handshake Packets", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper input validation", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-347", "description": "CWE-347 Improper verification of cryptographic signature", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-272", "descriptions": [{"lang": "en", "value": "CAPEC-272 Protocol Manipulation"}]}], "affected": [{"vendor": "XQUIC Project", "product": "XQUIC", "platforms": ["Linux"], "collectionURL": "https://github.com", "packageName": "xquic", "repo": "https://github.com/alibaba/xquic", "modules": ["QUIC protocol implementation", "packet processing module", "STREAM frame handler"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.8.3", "changes": [{"at": "1.9.0", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.<p>This issue affects XQUIC: through 1.8.3.</p>"}]}], "references": [{"url": "https://github.com/alibaba/xquic/commit/4764604a0e487eeb49338b4498aecda2194eae84"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:47:01.676715Z", "id": "CVE-2026-6328", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:31.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:47:01.676715Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:47:09.729Z"}}], "cna": {"title": "XQUIC Improper STREAM Frame Validation in Initial/Handshake Packets", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-272", "descriptions": [{"lang": "en", "value": "CAPEC-272 Protocol Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/alibaba/xquic", "vendor": "XQUIC Project", "modules": ["QUIC protocol implementation", "packet processing module", "STREAM frame handler"], "product": "XQUIC", "versions": [{"status": "affected", "changes": [{"at": "1.9.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8.3"}], "platforms": ["Linux"], "packageName": "xquic", "collectionURL": "https://github.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/alibaba/xquic/commit/4764604a0e487eeb49338b4498aecda2194eae84"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.", "supportingMedia": [{"type": "text/html", "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.<p>This issue affects XQUIC: through 1.8.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper input validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper verification of cryptographic signature"}]}], "providerMetadata": {"orgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "shortName": "alibaba", "dateUpdated": "2026-04-15T03:18:10.428Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6328", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:13:31.813Z", "dateReserved": "2026-04-15T02:43:22.187Z", "assignerOrgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "datePublished": "2026-04-15T03:18:10.428Z", "assignerShortName": "alibaba"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3."}], "id": "CVE-2026-6328", "lastModified": "2026-04-15T04:17:48.750", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "alibaba-cna@list.alibaba-inc.com", "type": "Secondary"}]}, "published": "2026-04-15T04:17:48.750", "references": [{"source": "alibaba-cna@list.alibaba-inc.com", "url": "https://github.com/alibaba/xquic/commit/4764604a0e487eeb49338b4498aecda2194eae84"}], "sourceIdentifier": "alibaba-cna@list.alibaba-inc.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-347"}], "source": "alibaba-cna@list.alibaba-inc.com", "type": "Secondary"}]}

{}