CVE-2026-10099: XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption
XX-Net V5.16.6 has a flaw in how it processes WebSocket communications that causes data corruption. When a client sends WebSocket frames without proper masking, the server incorrectly interprets the first 4 bytes of the message as a mask key (even when masking wasn't used), then mangles the rest of the data by applying the wrong decryption. This results in corrupted data being processed by the application. The vulnerability affects local attack scenarios and has medium severity.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-1286
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the WebSocket_receive_worker routine within simple_http_server.py. WebSocket protocol (RFC 6455) requires clients to mask frames and servers to unmask them; the MASK bit in the frame header indicates whether masking was applied. XX-Net V5.16.6 unconditionally consumes 4 bytes as a masking key regardless of the MASK bit state. This causes the first 4 payload bytes to be misinterpreted as a key, the remaining payload to be incorrectly XOR-decoded, and complete absence of validation for RSV bits, opcode integrity, and FIN fragmentation flags. The result is corrupted application data and protocol state violations.
Business impact
Applications relying on XX-Net V5.16.6 for WebSocket communication may receive corrupted data from clients, leading to application errors, incomplete transactions, or data integrity issues. This is particularly concerning in systems where WebSocket frames carry structured or sensitive information. The local attack vector limits exposure in remote-only deployments, but systems accepting untrusted local connections face elevated risk. Data integrity failures could cascade into downstream systems consuming the corrupted payloads.
Affected systems
XX-Net V5.16.6 is affected. Verify against vendor advisories for patched versions and the scope of affected releases. Deployments should check whether they use the vulnerable version and whether they rely on WebSocket functionality for message handling.
Exploitability
This vulnerability requires local access (AV:L) and no privileges or user interaction (PR:N, UI:N), making it exploitable by any local process or user able to send WebSocket frames to the vulnerable server. The simple nature of the flaw—unconditional reading of 4 bytes as a mask key—means reliable reproduction is straightforward. No special conditions or configuration are required. Remote exploitability is not indicated, limiting the threat model to local network access or compromised local processes.
Remediation
Upgrade XX-Net to a patched version that correctly validates the MASK bit before attempting to read the masking key, implements proper RFC 6455 compliance, and adds validation for RSV bits, opcode, and FIN flags. Verify the exact patched version against the vendor's security advisory. Until patching is possible, restrict WebSocket access to trusted local clients only and monitor for unexpected frame parsing errors in application logs.
Patch guidance
Consult the official XX-Net vendor security advisory for the specific patched version number and upgrade path. Test the patched version in a non-production environment to confirm WebSocket functionality and data integrity before rolling out to production systems. Pay particular attention to any systems where WebSocket frames are parsed by downstream components.
Detection guidance
Monitor application logs for WebSocket frame parsing errors, data corruption alerts, or protocol violations. Network-level detection is limited due to the local attack vector (AV:L), but systems processing WebSocket frames should log failed unmask operations and protocol validation failures. Application-level validation of received data integrity and checksums may reveal corruption caused by this flaw. Consider temporary application-level frame validation as a detective control pending patching.
Why prioritize this
Although CVSS 3.1 rates this as MEDIUM (4.0), prioritization depends on your WebSocket use cases and local threat model. If XX-Net serves only trusted local clients or is not deployed in multi-tenant environments, risk is lower. However, if it processes frames from untrusted local sources or handles sensitive data, corruption could have material impact on data integrity and system reliability. The lack of KEV status and remote attack vector argue for standard patch cadence rather than emergency response, but systems handling critical WebSocket communication should address it sooner.
Risk score, explained
CVSS 3.1 score of 4.0 (MEDIUM) reflects: (1) Local attack vector only (AV:L), limiting exposure to attackers with local system access; (2) No privileges or user interaction required (PR:N, UI:N), making it trivial to trigger by any local process; (3) Integrity impact only (I:L), causing data corruption without confidentiality or availability loss; (4) Unified scope (S:U), no privilege escalation; (5) No confidentiality or availability impact (C:N, A:N). The score appropriately reflects a data integrity issue with local-only exploitability.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack vector is local (AV:L), requiring the attacker to have access to the local system or network interface where XX-Net is listening. Remote clients cannot exploit this vulnerability unless they have local access to the system running XX-Net.
What happens if corrupted WebSocket data is processed by downstream applications?
Downstream systems may receive malformed or incomplete data, leading to parsing errors, transaction failures, or data inconsistencies. If the receiving application does not validate data integrity independently, the corruption will propagate, potentially causing failures in dependent systems.
Are older versions of XX-Net also vulnerable?
The CVE references XX-Net V5.16.6 specifically. Earlier and later versions may be affected depending on when the vulnerability was introduced and when it was patched. Consult the vendor advisory for the complete list of affected versions.
What is the difference between frame masking and the MASK bit in the WebSocket protocol?
Frame masking is a security measure where clients XOR-encode payload bytes using a 4-byte random key to prevent cache poisoning in proxies. The MASK bit in the frame header indicates whether the payload is masked. Servers must check the MASK bit before attempting to unmask; XX-Net V5.16.6 skips this check and always reads 4 bytes as a mask key, corrupting unmasked frames.
This analysis is based on the CVE description and CVSS scoring provided as of the publication date. Specific patch version numbers, vendor advisory links, and product-specific impact assessments should be verified directly with XX-Net vendors and your organization's vendor management process. The local attack vector significantly limits real-world exposure in remote-only or air-gapped deployments. Security teams should assess their specific WebSocket use cases and threat models before prioritization. No exploit code or weaponization details are provided; this explainer is for defensive awareness only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25720MEDIUMDräger SC Monitoring DoS – Network Reboot Attack
- CVE-2019-25723MEDIUMDräger Perseus A500 Medibus DoS Vulnerability – CVSS 4.0 Analysis & Mitigation
- CVE-2021-4479MEDIUMDräger Atlan A350 Denial of Service via Medibus Interface
- CVE-2025-8873HIGHArista EOS IPsec Denial of Service Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection