ShellCodeX
Tools • Events • News • Insights
ShellCodeX Intelligence Brief
CRITICAL Cybersecurity

XRING flaw in XQUIC can crash HTTP/3 servers via valid QPACK traffic

Source headline: Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

Threat level Critical
Signal strength 75/100
Source confidence 1 source
Published 5 days ago

Intelligence Summary

A security issue in XQUIC, Alibaba’s QUIC/HTTP/3 implementation, allows remote clients to crash HTTP/3 servers. The researcher Sébastien Féry describes the bug as XRING and notes it can be triggered without authentication. The crash can be provoked using a short burst of traffic that appears to be legitimate QPACK input. There is currently no official patch available. Operators running affected XQUIC-based services should assume availability risk and consider mitigations while awaiting a fix.

Recommended Action

Prioritize immediate review, validate exposure, and patch or mitigate affected systems.

Topics

#http3 #qpack #quic #remote-crash #xquic #xring
Original reporting The Hacker News Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
Open original source