This document is a renewal of RFC 8312 in order to progress in the standards track.  The document fixes some language and revises the authors, but significantly describes the standard as something that has already been adopted and implemented in multiple popular operating systems. 

The security considerations section is very brief, and reads as follows:

CUBIC makes no changes to the underlying security of TCP. More information about TCP security concerns can be found in [RFC5681].

This is a claim, which I believe to be true, but it also should be substantiated. Specifically changing the window computation on the sender may allow an attacker, through dropping or injecting ACKs (a practice described in RFC 5681), to either force the CUBIC implementation to reduce its bandwidth, or to convince it that there is no congestion when congestion does exist, and use the CUBIC implementation as an attack vector against other hosts. Of course, these attacks are only interesting if they give the attacker some significant power not afforded by plain old TCP.

So why is this a nit? Because I believe this is the case, and all I'm missing is a statement that it is so.