← Back
2026-05-29 15:58CVE-2026-10099VulnCheck
PUBLISHED5.2CWE-1286

XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.

Problem type

Affected products

XX-net

XX-Net

<= 5.16.6 - AFFECTED

<= 43aec6f - AFFECTED

References

github.com

https://github.com/XX-net/XX-Net/issues/14169

issue-tracking
github.com

https://github.com/XX-net/XX-Net/pull/14170

technical-description
github.com

https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52df9f30237cf47493b9231b53

patch
vulncheck.com

https://www.vulncheck.com/advisories/xx-net-websocket-frame-parsing-data-corruption-via-simple-http-server-py

third-party-advisory

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-10099
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-10099",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-05-29T15:58:24.062Z",
    "dateReserved": "2026-05-29T15:03:52.130Z",
    "datePublished": "2026-05-29T15:58:24.062Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-05-29T15:58:24.062Z"
      },
      "datePublic": "2026-05-29T15:55:00.000Z",
      "title": "XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py",
      "descriptions": [
        {
          "lang": "en",
          "value": "XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "XX-net",
          "product": "XX-Net",
          "defaultStatus": "unknown",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "git",
              "lessThanOrEqual": "5.16.6"
            },
            {
              "version": "0",
              "status": "affected",
              "versionType": "git",
              "lessThanOrEqual": "43aec6f"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-1286 – Improper Validation of Syntactic Correctness of Input",
              "cweId": "CWE-1286",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/XX-net/XX-Net/issues/14169",
          "tags": [
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/XX-net/XX-Net/pull/14170",
          "tags": [
            "technical-description"
          ]
        },
        {
          "url": "https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52df9f30237cf47493b9231b53",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/xx-net-websocket-frame-parsing-data-corruption-via-simple-http-server-py",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "attackVector": "LOCAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "YU SUN",
          "type": "finder"
        }
      ]
    }
  }
}