In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.
The vulnerability results from improper handling of the DCID (Destination Connection ID) field validation in the QUIC protocol, classified as CWE-354 — insufficient data integrity validation. An attacker can send crafted network packets with incorrect or manipulated DCID, which the library processes improperly. Lack of proper verification of this field can lead to unexpected library behavior. The vulnerability is accessible remotely, without user interaction, and without required privileges (vector AV:N/AC:L/PR:N/UI:N).
A remote, unauthenticated attacker may potentially gain unauthorized access to data, compromise system integrity, or cause system unavailability — according to CVSS assessment indicating high impact on confidentiality, integrity, and availability (C:H/I:H/A:H).
Update the LSQUIC library to version 4.0.4 or later, available at: https://github.com/litespeedtech/lsquic/releases/tag/v4.0.4. The fix was introduced in commit 515f453556c99d27c4dddb5424898dc1a5537708.
LiteSpeed QUIC (LSQUIC) Library in versions prior to 4.0.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLitespeedtech Lsquic
APPLitespeedtech< 4.0.4
Related vulnerabilities
liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.
LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.
LiteSpeed cPanel Plugin — privilege escalation (możliwe root) via Redis
LiteSpeed Cache – nieuwierzytelnione przejęcie konta przez ujawnione dane logowania
Privilege escalation bez uwierzytelnienia w LiteSpeed Cache dla WordPress