CVE-2026-6328
Opisy CVE
XQUIC Improper STREAM Frame Validation in Initial/Handshake Packets
Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.Informacje CVE
Powiązane słabości
| Nazwa słabości | Source | |
|---|---|---|
| Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
||
| Improper Verification of Cryptographic Signature The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Metryki
| Metryki | Wynik | Stopień zagrożenia | CVSS Wektor | Source |
|---|---|---|---|---|
| V4.0 | 8.3 | HIGH |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
More informations
Base: Exploitabilty MetricsThe Exploitability metrics reflect the characteristics of the “thing that is vulnerable”, which we refer to formally as the vulnerable system. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Network The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). Attack Complexity This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. High The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention (DEP) must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target. Attack Requirements This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. None The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability. Privileges Required This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. None The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. None The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Base: Impact MetricsThe Impact metrics capture the effects of a successfully exploited vulnerability. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality Impact This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Low There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Vulnerable System. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System. Availability Impact This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability. None There is no impact to availability within the Vulnerable System. Sub Confidentiality Impact Negligible There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System. Sub Integrity Impact None There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System. Sub Availability Impact None There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System. Threat MetricsThe Threat metrics measure the current state of exploit techniques or code availability for a vulnerability. Environmental MetricsThese metrics enable the consumer analyst to customize the resulting score depending on the importance of the affected IT asset to a user’s organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of Base metrics and are assigned values based on the system placement within organizational infrastructure. Supplemental MetricsSupplemental metric group provides new metrics that describe and measure additional extrinsic attributes of a vulnerability. While the assessment of Supplemental metrics is provisioned by the provider, the usage and response plan of each metric within the Supplemental metric group is determined by the consumer. |
