Security · 1h ago
Unpatched XRING Flaw in Alibaba's XQUIC Lets Remote Clients Crash HTTP/3 Servers
A single variable error in Alibaba's XQUIC library allows any remote client to crash HTTP/3 servers with just 260 bytes of normal traffic. FoxIO researcher Sébastien Féry disclosed the flaw, named XRING, on July 8. No patch is available yet, and the attack requires no authentication or malformed packets.
Meridian48 take
The lack of a patch for a trivial-to-exploit flaw in a widely used library underscores the fragility of QUIC/HTTP/3 implementations.
Read the full reporting
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers →
The Hacker News
xquichttp3