{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1788", "assignerOrgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "state": "PUBLISHED", "assignerShortName": "alibaba", "dateReserved": "2026-02-03T03:04:55.808Z", "datePublished": "2026-02-03T03:22:48.256Z", "dateUpdated": "2026-02-03T17:18:06.150Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "defaultStatus": "unaffected", "modules": ["QUIC protocol implementation", "packet processing module"], "packageName": "xquic", "platforms": ["Linux"], "product": "Xquic Server", "repo": "https://github.com/alibaba/xquic", "vendor": "Xquic Project", "versions": [{"changes": [{"at": "1.9.0", "status": "unaffected"}], "lessThanOrEqual": "1.8.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": ": Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.<p>This issue affects Xquic Server: through 1.8.3.</p>"}], "value": ": Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.This issue affects Xquic Server: through 1.8.3."}], "impacts": [{"capecId": "CAPEC-123", "descriptions": [{"lang": "en", "value": "CAPEC-123: Buffer Manipulation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.6, "baseSeverity": "MEDIUM", "exploitMaturity": "UNREPORTED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "shortName": "alibaba", "dateUpdated": "2026-02-03T03:22:48.256Z"}, "references": [{"url": "https://github.com/alibaba/xquic"}], "source": {"discovery": "UNKNOWN"}, "title": "Buffer Overflow in Xquic Server", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T17:17:50.280981Z", "id": "CVE-2026-1788", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T17:18:06.150Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1788", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T17:17:50.280981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T17:18:02.285Z"}}], "cna": {"title": "Buffer Overflow in Xquic Server", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-123", "descriptions": [{"lang": "en", "value": "CAPEC-123: Buffer Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 6.6, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/RE:M/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/alibaba/xquic", "vendor": "Xquic Project", "modules": ["QUIC protocol implementation", "packet processing module"], "product": "Xquic Server", "versions": [{"status": "affected", "changes": [{"at": "1.9.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8.3"}], "platforms": ["Linux"], "packageName": "xquic", "collectionURL": "https://github.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/alibaba/xquic"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": ": Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.This issue affects Xquic Server: through 1.8.3.", "supportingMedia": [{"type": "text/html", "value": ": Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.<p>This issue affects Xquic Server: through 1.8.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "shortName": "alibaba", "dateUpdated": "2026-02-03T03:22:48.256Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1788", "state": "PUBLISHED", "dateUpdated": "2026-02-03T17:18:06.150Z", "dateReserved": "2026-02-03T03:04:55.808Z", "assignerOrgId": "0cc2b86d-1d45-434d-ae74-11d09ec61ae8", "datePublished": "2026-02-03T03:22:48.256Z", "assignerShortName": "alibaba"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": ": Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation.This issue affects Xquic Server: through 1.8.3."}, {"lang": "es", "value": "Vulnerabilidad de escritura fuera de l\u00edmites en Xquic Project Servidor Xquic xquic en Linux (implementaci\u00f3n del protocolo QUIC, m\u00f3dulo de procesamiento de paquetes) permite: Manipulaci\u00f3n de B\u00fafer. Este problema afecta a Servidor Xquic: hasta 1.8.3."}], "id": "CVE-2026-1788", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "alibaba-cna@list.alibaba-inc.com", "type": "Secondary"}]}, "published": "2026-02-03T04:15:56.190", "references": [{"source": "alibaba-cna@list.alibaba-inc.com", "url": "https://github.com/alibaba/xquic"}], "sourceIdentifier": "alibaba-cna@list.alibaba-inc.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "alibaba-cna@list.alibaba-inc.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:26:37.342153+00:00", "value": {"mitigation_remediation": ["Update Xquic Server to version 1.8.4 or later to apply the out\u2011of\u2011bounds write fix.", "If an upgrade is not immediately possible, restrict QUIC traffic at the network perimeter by allowing only trusted peers or rate\u2011limiting untrusted connections.", "Enable system hardening features such as ASLR, stack canaries, and address space layout randomization that can mitigate the impact of a buffer overflow if triggered.", "Monitor logs for abnormal QUIC packet patterns and perform periodic integrity checks on critical memory regions."], "summary": {"action": "Upgrade", "impact": "Buffer Overflow enabling memory corruption"}, "threat_synthesis": {"affected_systems": "The issue affects the Xquic Server component of the Xquic Project on Linux. All releases through version 1.8.3 are vulnerable; versions from 1.8.4 onward contain the fix.", "description_and_impact": "Out\u2011of\u2011bounds write in the packet processing module of Xquic Server can lead to a buffer overflow that, if triggered by a malicious QUIC packet, may corrupt memory and potentially allow code execution or denial of service. The vulnerability is classified as CWE\u2011787 and is reported to have a CVSS score of 6.6, which indicates a moderate severity. The description does not explicitly state the attacker\u2019s capabilities, but the vulnerability is tied to network\u2011bound QUIC traffic, so the likely attack vector is remote, from an external attacker able to craft malicious packets.", "risk_and_exploitability": "The CVSS score of 6.6 is moderate, but the EPSS score is below 1%, indicating a very low exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog, which further suggests limited exploitation activity. Nevertheless, because the flaw can be triggered remotely, it poses a potential threat if an attacker obtains focused knowledge of the affected deployment. The absence of a publicly available exploitation kit reduces the likelihood of widespread attacks, yet security teams should remain vigilant."}}}}, "created": "2026-02-04T12:14:52.209938+00:00", "updated": "2026-04-18T00:30:25.714864+00:00", "vendors": ["alibaba", "alibaba$PRODUCT$xquic_server"]}