CVE-2026-10099 XX-net CVE debrief

Who should care

Organizations running XX-Net V5.16.6 or earlier versions; developers implementing custom WebSocket servers based on XX-Net code; security teams monitoring for RFC 6455 compliance issues in WebSocket implementations

Technical summary

The vulnerability exists in the `WebSocket_receive_worker` function within `simple_http_server.py` in XX-Net V5.16.6. The implementation fails to check the MASK bit (bit 0 of the second byte) in the WebSocket frame header before attempting to read a 4-byte masking key. For unmasked frames (MASK=0), this causes the parser to consume the first 4 bytes of actual payload data as if they were a masking key, then incorrectly apply XOR decoding to the remaining payload bytes using these misinterpreted values. Additionally, the implementation lacks validation for reserved RSV bits, opcode correctness, and FIN fragmentation handling as required by RFC 6455. This results in corrupted application data rather than confidentiality or availability impacts.

Defensive priority

medium

Recommended defensive actions

• Review and apply the fix commit referenced in the advisory to XX-Net deployments
• Validate WebSocket frame parsing logic in any custom implementations of RFC 6455
• Implement proper MASK bit validation before reading masking key bytes
• Add validation for RSV bits, opcode validity, and FIN fragmentation as per RFC 6455
• Monitor for anomalous WebSocket traffic patterns that may indicate exploitation attempts

Evidence notes

Vulnerability disclosed via Vulncheck advisory with GitHub commit, issue, and pull request references. CVSS 4.0 vector provided in NVD source. CWE-1286 (Improper Validation of Syntactic Correctness of Input) identified as primary weakness.

Official resources